How to Update Ubuntu to fix the Heartbleed SSL bug
Because you don’t want heartbroken servers!
This post was originally posted on the Pay4Bugs Blog.
In case you haven’t heard, a critical bug in the widely used OpenSSL library was disclosed earlier today.
Despite the cool name and vector logo, Heartbleed is one of the scariest security bugs to hit the Internet in a long time.
We patched our servers here at Pay4Bugs earlier today, so I thought I’d share with you how we went about it.
We run Ubuntu 12.04 LTS on our production servers. If you have automatic security updates enabled, your server will automatically update. But there’s no harm in checking to make sure the update has been applied.
Step 1 — Check your current OpenSSL version
Run openssl version -a
root@sin1:~# openssl version -a OpenSSL 1.0.1e 11 Feb 2013 built on: Mon Jul 15 12:44:45 UTC 2013 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector —param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,—noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: “/usr/lib/ssl” root@sin1:~#
The built on date is what we’re interested in. Make sure it’s on or after April 7, 2014. If it’s an earlier date like in the above example, your server is vulnerable.
Step 2 — Install the latest security updates
Run apt-get update followed by apt-get dist-upgrade
root@www:~# apt-get dist-upgrade Reading package lists… Done Building dependency tree Reading state information… Done Calculating upgrade… Done The following packages will be upgraded: file libmagic1 libssl-dev libssl-doc libssl1.0.0 openssh-client openssh-server openssl 8 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 5,697 kB of archives. After this operation, 2,048 B of additional disk space will be used. Do you want to continue [Y/n]? y
You might need to restart your server if prompted.
Step 3 — Check to make sure the patched version of OpenSSL successfully installed
Run openssl version -a
root@discuss:~# openssl version -a OpenSSL 1.0.1 14 Mar 2012 built on: Mon Apr 7 20:33:29 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector —param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,—noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: “/usr/lib/ssl” root@discuss:~#
Larry Salibra is the Founder & CEO of the crowdsourced software testing company Pay4Bugs. Pay4Bugs finds problems with your product before your customers do! Follow Larry on Twitter!
