augusto
Posts: 7
Joined: Fri Feb 07, 2014 9:50 am

Heartbleed openssl vulnerability

Tue Apr 08, 2014 7:24 am

Hi All,

Just a heads up that a bug, named heartbleed, has been found in OpenSSL, in which an attacker can get the private keys from a WebServer (or any other application that uses TLS).

Please update your raspis and if you are concerned about security, reissue any keys that you used for TLS (specially if you were running apache or nginx over ssl).

Cheers,
Augusto

augusto
Posts: 7
Joined: Fri Feb 07, 2014 9:50 am

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 7:29 am

I just realised that the Raspi has a version of openssl with the vulnerability (1.0.1e). Does anyone know when 1.0.1g will be available?

You can get the version of openssl installed by running

Code: Select all

openssl version -a

gkreidl
Posts: 6355
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 8:25 am

This has been fixed for current Debian sid, jessie, and wheezy already so it should appear in a Raspbian update very soon.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

ajwakeman
Posts: 3
Joined: Wed Mar 27, 2013 1:34 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 11:56 am

Still haven't seen an update as of yet, any news?

User avatar
DougieLawson
Posts: 39864
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 12:22 pm

The update is available for Raspbian for both Wheezy and Jessie.

sudo apt-get update && sudo apt-get dist-upgrade
Installed it on both of my RPis. [It's also available on Ubuntu x86, btw.]
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

ajwakeman
Posts: 3
Joined: Wed Mar 27, 2013 1:34 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 12:25 pm

Must not have propagated to all the mirrors yet, still no update for me.

andPS2
Posts: 17
Joined: Wed Apr 03, 2013 1:37 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 4:32 pm

still no update for me either ;(

davep
Posts: 28
Joined: Mon Aug 20, 2012 11:27 am

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 4:49 pm

For me, apt-get upgrade seemed to recognise that the update was there:
The following packages will be upgraded:
openssh-client openssh-server ssh

But it reinstalled the same version. I'm guessing the update picked up that the files needed updating but the mirror files hadn't been updated. Now running apt-get update and upgrade doesn't even try to update the files. Is it possible to try to force this?

dicer
Posts: 6
Joined: Tue Apr 08, 2014 4:15 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 4:52 pm

Even the main raspbian archive doesn't have the u5 version yet (actually debian already released an u6 version!):

http://archive.raspbian.org/raspbian/po ... o/openssl/

openssl_1.0.1e-2+deb7u4.debian.tar.gz

So I really don't know where some people got it from...
I got the following in my /etc/apt/sources.list:

deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi

Am I missing something?

dicer
Posts: 6
Joined: Tue Apr 08, 2014 4:15 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 4:54 pm

davep wrote: openssh-client openssh-server ssh
openSSH has nothing to do with this.

User avatar
jsebean
Posts: 50
Joined: Sun Jan 13, 2013 12:00 am
Location: Atlantic Canada
Contact: Website

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 5:06 pm

davep wrote:For me, apt-get upgrade seemed to recognise that the update was there:
The following packages will be upgraded:
openssh-client openssh-server ssh

But it reinstalled the same version. I'm guessing the update picked up that the files needed updating but the mirror files hadn't been updated. Now running apt-get update and upgrade doesn't even try to update the files. Is it possible to try to force this?
OpenSSH is not OpenSSL.

User avatar
jsebean
Posts: 50
Joined: Sun Jan 13, 2013 12:00 am
Location: Atlantic Canada
Contact: Website

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 5:09 pm

DougieLawson wrote:The update is available for Raspbian for both Wheezy and Jessie.

sudo apt-get update && sudo apt-get dist-upgrade
Installed it on both of my RPis. [It's also available on Ubuntu x86, btw.]
I don't believe this because it didn't work for me, are you sure yours actually updated? What does the version number say you have when you run

Code: Select all

sudo apt-cache show openssl

davep
Posts: 28
Joined: Mon Aug 20, 2012 11:27 am

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 5:11 pm

jsebean wrote:OpenSSH is not OpenSSL.
Oops :oops: I had assumed there was a common library or something.

jicho
Posts: 6
Joined: Sun Jan 20, 2013 8:08 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 5:36 pm

No updates found here either :(

According to this:
https://www.debian.org/security/2014/dsa-2896

There should be an update... Strange

User avatar
jsebean
Posts: 50
Joined: Sun Jan 13, 2013 12:00 am
Location: Atlantic Canada
Contact: Website

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 5:50 pm

jicho wrote:No updates found here either :(

According to this:
https://www.debian.org/security/2014/dsa-2896

There should be an update... Strange
There is none because the raspberry pi has it's own repos specifically for the pi with packages compiled for the ARMv6, so the new updated package needs to be merged with the raspberry pi's repos.

User avatar
jsebean
Posts: 50
Joined: Sun Jan 13, 2013 12:00 am
Location: Atlantic Canada
Contact: Website

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 6:05 pm

davep wrote:
jsebean wrote:OpenSSH is not OpenSSL.
Oops :oops: I had assumed there was a common library or something.
Easy to confuse as I saw it too, at first glance I thought it was openSSL but then realized it wasn't. Still important to install though, I did on mine.

jicho
Posts: 6
Joined: Sun Jan 20, 2013 8:08 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 6:25 pm

jsebean wrote:
jicho wrote:No updates found here either :(

According to this:
https://www.debian.org/security/2014/dsa-2896

There should be an update... Strange
There is none because the raspberry pi has it's own repos specifically for the pi with packages compiled for the ARMv6, so the new updated package needs to be merged with the raspberry pi's repos.
You're right :?

dicer
Posts: 6
Joined: Tue Apr 08, 2014 4:15 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 6:55 pm

Here is the official Raspbian bug:
https://bugs.launchpad.net/raspbian/+bug/1304506

davep
Posts: 28
Joined: Mon Aug 20, 2012 11:27 am

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 7:22 pm

It just updated for me to 1.0.1e-2+rvt+deb7u5

dicer
Posts: 6
Joined: Tue Apr 08, 2014 4:15 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 7:34 pm

Yes, update is out :)

dicer
Posts: 6
Joined: Tue Apr 08, 2014 4:15 pm

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 7:37 pm

Don't forget to exchange your ssl key and request a new certificate! And consider all passwords used over that service leaked as well. Same goes for data.
I'll update my ssl keys as well as all the openvpn keys/certs.

typhoon
Posts: 78
Joined: Sat Jan 28, 2012 8:04 am

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 9:09 pm

Stupid question: how to exchange your ssl key and request a new certificate?
Shouldn't this be offered as an option during the upgrade on the package?

augusto
Posts: 7
Joined: Fri Feb 07, 2014 9:50 am

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 9:48 pm

davep wrote:It just updated for me to 1.0.1e-2+rvt+deb7u5
I find it a bit confusing that debian backported the fix to 1.0.1e, but I assume that this is because it's the stable release.

For general information: if you run openssl version -a, it will display 1.0.1e (which is one of the versions described as having the bug). To know if you really have the patched version run

Code: Select all

$ sudo apt-cache show openssl
Package: openssl
Version: 1.0.1e-2+rvt+deb7u5
[...]

davep
Posts: 28
Joined: Mon Aug 20, 2012 11:27 am

Re: Heartbleed openssl vulnerability

Tue Apr 08, 2014 11:16 pm

typhoon wrote:Stupid question: how to exchange your ssl key and request a new certificate?
Shouldn't this be offered as an option during the upgrade on the package?
I use Citadel Server for email and used their guide http://www.citadel.org/doku.php/faq:sys ... _authority but the commands should be useful generally.

gdt
Posts: 85
Joined: Thu Jul 19, 2012 10:19 am

Re: Heartbleed openssl vulnerability

Wed Apr 09, 2014 2:59 am

For future reference, instructions to rebuild openssl from the Wheezy source. I did this whilst waiting for an official Raspbian package to minimise downtime of SSL-using services. Academic now, but I hope the instructions help someone in the future.

Edit: I've read above that people should generate a new Private Key and a new Certificate Signing Request, and purchase a new CA-signed Certificate. That is correct.

However installing new certificates alone is not adequate. To prevent misuse you must also revoke the old (potentially stolen) certificate. Your CA may charge for this even if there CA-signed certificate was free. You may need to create a revocation using the old key and certificate, so do copy them somewhere before replacing them with the new key and new certificate.

Return to “Advanced users”