Debians patching solution for the openssl heartbleed bug

Written by - 0 comments

Published on - Listed in Linux Internet Unix Hacks


If you haven't heard of the "OpenSSL heartbleed bug" by now, you either ignore the world's news or you don't use a computer (how the hell are you reading this?).

I won't go into details what the OpenSSL heartbleed bug is (this is covered on way too many other sites) but I can tell you this has caused some serious issues. Although the bug was open for a very long time (since the release of 1.0.1 back in March 2012), once a patch was released, most Linux distributions reacted very fast and provided the OpenSSL patches a short time after.

I'm especially satisfied how Debian managed the importance and publishing of the patches.

On April 7th 2014, openssl released the following security advice:

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.

On the same day Debian released the patch DSA 2896-1:

For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5.
For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1.
For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1.

I immediately applied the patch on all my Debian wheezy systems and confirmed the closed vulnerability.
But then Debian surprised me. One day later, on April 8th 2014, a revision of the patch was released:

This revision to the recent OpenSSL update, DSA-2896-1, checks for some services that may use OpenSSL in a way that they expose the vulnerability.  Such services are proposed to be restarted during the upgrade to help in the actual deployment of the fix.

For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u6.

Fortunately I still had another unpatched Debian wheezy system to see the difference. As promised in the description, the patch shows services which need to be restarted. And this is how the dialog looks like:

Debian patch for the openssl heartbleed bug

After confirming the message, the listed services were restarted.
That's some nice additional information what Debian provides here - and its very helpful. So Debian Security Team: Thanks a lot for that!

Of course it's possible that not all services are listed or could be detected, in this case a manual "lsof" of all open processes would show the usage of libssl.
Example on Apache:

lsof -p $(cat /var/run/apache2.pid) | grep ssl
/usr/sbin 9625 root DEL REG 253,1 134301 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0

 


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder