If you haven't heard of the "OpenSSL heartbleed bug" by now, you either ignore the world's news or you don't use a computer (how the hell are you reading this?).
I won't go into details what the OpenSSL heartbleed bug is (this is covered on way too many other sites) but I can tell you this has caused some serious issues. Although the bug was open for a very long time (since the release of 1.0.1 back in March 2012), once a patch was released, most Linux distributions reacted very fast and provided the OpenSSL patches a short time after.
I'm especially satisfied how Debian managed the importance and publishing of the patches.
On April 7th 2014, openssl released the following security advice:
TLS heartbeat read overrun (CVE-2014-0160)
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
On the same day Debian released the patch DSA 2896-1:
For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5.
For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1.
For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1.
I immediately applied the patch on all my Debian wheezy systems and confirmed the closed vulnerability.
But then Debian surprised me. One day later, on April 8th 2014, a revision of the patch was released:
This revision to the recent OpenSSL update, DSA-2896-1, checks for some services that may use OpenSSL in a way that they expose the vulnerability. Such services are proposed to be restarted during the upgrade to help in the actual deployment of the fix.
For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u6.
Fortunately I still had another unpatched Debian wheezy system to see the difference. As promised in the description, the patch shows services which need to be restarted. And this is how the dialog looks like:
After confirming the message, the listed services were restarted.
That's some nice additional information what Debian provides here - and its very helpful. So Debian Security Team: Thanks a lot for that!
Of course it's possible that not all services are listed or could be detected, in this case a manual "lsof" of all open processes would show the usage of libssl.
Example on Apache:
lsof -p $(cat /var/run/apache2.pid) | grep ssl
/usr/sbin 9625 root DEL REG 253,1 134301 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
No comments yet.
Personal Internet VMware PHP Linux Shell Bluecoat Proxy Windows Hardware Virtualization Nagios MySQL DB Monitoring Mail Android Network Wyse Hacks Tomcat Postgres Apple Mac Backup BSD ZFS Solaris SmartOS Unix Multimedia Perl Database MongoDB CMS OTRS FreeBSD Wordpress LXC Nginx Proxmox DNS Graphics GlusterFS Security Chef HAProxy Icinga Ansible HTML MariaDB Containers Rancher Docker AWS ELK Kibana Logstash Filebeat Varnish PGSQL PostgreSQL ElasticSearch CouchDB Bash Macintosh Container Minio Grafana InfluxDB Databases NFS OSSEC SystemD Java Zoneminder Surveillance Elasticsearch SSL TLS Icingaweb2 Cloud Wireless Kubernetes Ubuntu