Debians patching solution for the openssl heartbleed bug

Written by - 0 comments

Published on - Listed in Linux Internet Unix Hacks

If you haven't heard of the "OpenSSL heartbleed bug" by now, you either ignore the world's news or you don't use a computer (how the hell are you reading this?).

I won't go into details what the OpenSSL heartbleed bug is (this is covered on way too many other sites) but I can tell you this has caused some serious issues. Although the bug was open for a very long time (since the release of 1.0.1 back in March 2012), once a patch was released, most Linux distributions reacted very fast and provided the OpenSSL patches a short time after.

I'm especially satisfied how Debian managed the importance and publishing of the patches.

On April 7th 2014, openssl released the following security advice:

TLS heartbeat read overrun (CVE-2014-0160)

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.

On the same day Debian released the patch DSA 2896-1:

For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5.
For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1.
For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1.

I immediately applied the patch on all my Debian wheezy systems and confirmed the closed vulnerability.
But then Debian surprised me. One day later, on April 8th 2014, a revision of the patch was released:

This revision to the recent OpenSSL update, DSA-2896-1, checks for some services that may use OpenSSL in a way that they expose the vulnerability.  Such services are proposed to be restarted during the upgrade to help in the actual deployment of the fix.

For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u6.

Fortunately I still had another unpatched Debian wheezy system to see the difference. As promised in the description, the patch shows services which need to be restarted. And this is how the dialog looks like:

Debian patch for the openssl heartbleed bug

After confirming the message, the listed services were restarted.
That's some nice additional information what Debian provides here - and its very helpful. So Debian Security Team: Thanks a lot for that!

Of course it's possible that not all services are listed or could be detected, in this case a manual "lsof" of all open processes would show the usage of libssl.
Example on Apache:

lsof -p $(cat /var/run/ | grep ssl
/usr/sbin 9625 root DEL REG 253,1 134301 /usr/lib/x86_64-linux-gnu/


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.