Debian Wheezy OpenSSL heartbleed patching tutorial

0

Quick tip about patching CVE-2014-0160 vulnerability, in this case we gonna take care of Debian 7. There’re few ways to secure your server (recompilling package with no-heartbleed switch, disabling ssl support or else), but here’s (imho) easiests and fastest solution using already patched packages.

Update 2014-04-09 19:55: Hours after I wrote this tutorial openssl and libssl packages were updated in wheezy repository. Right now just run:

sudo apt-get update
sudo apt-get upgrade

That’s all. Remember to regenerate your certificates.

Before update:

At first we gonna add to our apt package manager repositories with testing releases where we can find newer version of openssl. Edit /etc/apt/sources.list and make it look like:

deb http://ftp.debian.org/debian jessie main contrib non-free
deb http://ftp.debian.org/debian-security jessie/updates main contrib non-free

deb http://ftp.debian.org/debian wheezy main contrib non-free
deb http://ftp.debian.org/debian-security wheezy/updates main contrib non-free

Save and run:

sudo apt-get update
sudo apt-get -t jessie install openssl libssl1.0.0

Confirm update, wait a moment and then just check:

$ openssl version
OpenSSL 1.0.1g 7 Apr 2014

After all that steps restart all your servers which use openssl, eg.:

sudo /etc/init.d/apache2 restart

Also I recommend you to perform whole OS restart. Now you may use one of this two tools to check your website – filippo.io or possible.lv.

OpenSSL Heartbleed test

 

If you’re using CloudFlare proxy on your domain probably you’ll see „Uh-oh timeout” message, it’s ok.

Library: OpenSSL 1.0.1e

If you see after calling

openssl version

something like:

OpenSSL 1.0.1g 7 Apr 2014 (Library: OpenSSL 1.0.1e 11 Feb 2013)

you just have to update libssl, run:

sudo apt-get -t jessie install libssl1.0.0

Should help :-).

Tagi: , , , , , , ,

Skomentuj