14 DAY TRIAL // The Heartbleed vulnerability has affected a large number of Linux distributions and online services and most of them have been patched, but it seems that SteamOS is still vulnerable to this particular problem.
Valve is the developer of SteamOS, a Linux distribution based on Debian “Wheezy” that is still under development. The way this distribution is updated and the fact that Valvle publishes patches for it every few weeks means that SteamOS is still vulnerable to the Heartbleed vulnerability.
In case you didn't know, a vulnerability has been discovered in OpenSSL that has got the Internet all riled up. It seems that this bug has been around for a very long time and only now has it been found and solved. It's not known if anyone took advantage of this problem to steal any confidential data, but the damage that might have been done by it is extensive.
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs),” reads the heartbleed.com website.
Bugs in various packages are found and fixed all the time, but they don't usually get their own website and don't prompt everyone to urge users to change their passwords. Even Steam was affected by this problem, but the company has yet to acknowledge the problem.
The thing is that most Linux distributions that have been using that particular version of OpenSSL have been patched and the problems have been solved. And that includes the Debian version that is used as a base for SteamOS.
Here is a list of vulnerable distros. Keep in mind that most have been fixed already:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4 Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 CentOS 6.5, OpenSSL 1.0.1e-15 Fedora 18, OpenSSL 1.0.1e-4 OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012) FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 NetBSD 5.0.2 (OpenSSL 1.0.1e) OpenSUSE 12.2 (OpenSSL 1.0.1c)
As you can see, Debian is the first one on the list. The problem with SteamOS is that the users can't update the system like it's a proper Debian and they rely on Valve to release updates. The company hasn't said anything on the official channels, but we expect to see a new patch soon.