The way to fix the Heartbleed vulnerability is to upgrade to the latest version of OpenSSL. You can find links to all the latest code on the OpenSSL website.
If you're curious about the code that implements the fix, you can look at it — after all, OpenSSL is open source:
* Read type and payload length first */
if (1 + 2 + 16 > s->s3->relent)
/* silently discard */
hbtype = *p++;
if (1 + 2 + payload + 16 > s->s3->rrec.length)
/* silently discard per RFC 6520 sec. 4 */
pl = p;
The first part of this code makes sure that the heartbeat request isn't 0 KB, which can cause problems. The second part makes sure the request is actually as long as it says it is.
If you discover that a server under your control has been left vulnerable for some time, there's more to do than just update the OpenSSL code. For instance, you should change the SSL certificates used by the servers, since they may have been compromised without leaving a trace. More pedestrian but still important: users who have accounts on the system should change their passwords.
Sign up for Computerworld eNewsletters.