CVE-2014-0160 impact on linode?
thanks
8 Replies
Trying to mitigate any Heartbleed shenanigans on my Debian Wheezy Linode. I've tested my openSSL version with:
openssl version -a
Which gives me:
OpenSSL 1.0.1e 11 Feb 2013
built on: Wed May 22 07:27:53 UTC 2013
platform: debian-i386-i686/cmov
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -march=i686 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
There seems to be some debate on the intarwebs as to whether that line always gives an accurate version report. So I've also tried
apt-cache policy openssl
Which gives me:
openssl:
Installed: 1.0.1e-2+deb7u6
Candidate: 1.0.1e-2+deb7u6
Version table:
*** 1.0.1e-2+deb7u6 0
500 http://security.debian.org/ wheezy/updates/main i386 Packages
100 /var/lib/dpkg/status
1.0.1e-2+deb7u4 0
500 http://ftp.uk.debian.org/debian/ wheezy/main i386 Packages
I've also tried:
dpkg-query -l 'openssl'
Which gives me:
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-========================-=================-=================-=====================================================
ii openssl 1.0.1e-2+deb7u6 i386 Secure Socket Layer (SSL) binary and related cryptography
So looks like I'm vulnerable [although I'm still not sure [i]what version I'm actually running!]. However
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
doesn't find or apply any openssl updates
Also, trying the vulnerability tester at
which openssl
return?
"1.0.1e-2+deb7u6" is good.
"built on: Wed May 22 07:27:53 UTC 2013" is not.
I suspect you have a nonstandard OpenSSL install, perhaps in /usr/local, that you will need to update manually.
@samh:
Why would 1.01e be "good"? 1.01g is the version corrected for Heartbleed. Mar 2013 is a reasonable build date for 1.01e.
Most distros backport security patches, since they don't bump versions in order to keep the release stable. For example:
- Les
Still confusticated –>
In spite of my assertions to the contrary in my first post. I was not in fact running a squeaky clean version of Wheezy, but [according to [color=#8080FF]/etc/debian_version
Anyway, thanks to a tip I found here
Package: *
Pin: release a=stable
Pin-Priority: 1001
and then running:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
…again. Apt complained a bit about not being able to overwrite Nginx, but the upgrades worked fine and
openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Apr 8 10:05:11 UTC 2014
platform: debian-i386-i686/cmov
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_E
NDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FO
RTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -march=i686 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA
32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD
160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
I did have to reinstall Nginx again as the upgrade process knackered something and I got a load of 502 Bad Gateway errors, but that only took a couple of minutes and my domains are all up and running again now.
[Sorry if the thread veered slightly off-topic there but it might help other folks who're trying to upgrade openssl and not getting anywhere. Might be worth checking that Apt has not become confused as to what Debian version is actually running on your server.]