CVE-2014-0160 impact on linode?

You might want to read the blog post they just put out :)

https://blog.linode.com/2014/04/08/hear … erability/">https://blog.linode.com/2014/04/08/heartbleed-openssl-vulnerability/

Well, I'm confused.

Trying to mitigate any Heartbleed shenanigans on my Debian Wheezy Linode. I've tested my openSSL version with:

openssl version -a

Which gives me:

OpenSSL 1.0.1e 11 Feb 2013
built on: Wed May 22 07:27:53 UTC 2013
platform: debian-i386-i686/cmov
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -march=i686 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

There seems to be some debate on the intarwebs as to whether that line always gives an accurate version report. So I've also tried

apt-cache policy openssl

Which gives me:

openssl:
  Installed: 1.0.1e-2+deb7u6
  Candidate: 1.0.1e-2+deb7u6
  Version table:
 *** 1.0.1e-2+deb7u6 0
        500 http://security.debian.org/ wheezy/updates/main i386 Packages
        100 /var/lib/dpkg/status
     1.0.1e-2+deb7u4 0
        500 http://ftp.uk.debian.org/debian/ wheezy/main i386 Packages

I've also tried:

dpkg-query -l 'openssl'

Which gives me:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                     Version           Architecture      Description
+++-========================-=================-=================-=====================================================
ii  openssl                  1.0.1e-2+deb7u6   i386              Secure Socket Layer (SSL) binary and related cryptography

So looks like I'm vulnerable [although I'm still not sure [i]what version I'm actually running!]. However

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

doesn't find or apply any openssl updates

Also, trying the vulnerability tester at http://filippo.io/Heartbleed/ gives me an "all clear" for one of my domains and a "you're vulnerable" for another. Both of which are hosted on the same Linode. So am I vulnerable or not? and if so, why is apt not finding any openSSL updates?

What does which openssl return?

"1.0.1e-2+deb7u6" is good.

"built on: Wed May 22 07:27:53 UTC 2013" is not.

I suspect you have a nonstandard OpenSSL install, perhaps in /usr/local, that you will need to update manually.

Also it's not a bad idea to reboot after upgrading openssl to ensure all services are restarted with the new version.

Why would 1.01e be "good"? 1.01g is the version corrected for Heartbleed. Mar 2013 is a reasonable build date for 1.01e.

@samh:

Why would 1.01e be "good"? 1.01g is the version corrected for Heartbleed. Mar 2013 is a reasonable build date for 1.01e.

Most distros backport security patches, since they don't bump versions in order to keep the release stable. For example:

http://people.canonical.com/~ubuntu-sec … -0160.html">http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0160.html

https://security-tracker.debian.org/tra … -2014-0160">https://security-tracker.debian.org/tracker/CVE-2014-0160

• Les

According to 'which', my openSSL is in /usr/bin and according to 'locate' it seems to be the only version installed. Is that the standard install location? I don't remember installing a custom openSSL directly, but I suppose it could have been done as part of installing nginx. T'was all a very long time ago!

Still confusticated –> :?

Problem Solved. :mrgreen:

In spite of my assertions to the contrary in my first post. I was not in fact running a squeaky clean version of Wheezy, but [according to [color=#8080FF]/etc/debian_version] that two-headed beastie known as Jessie/Sid. This in spite of the fact all sources in /etc/apt/sources.list were set to Wheezy. I think apt got confused because a while back I built a custom Nginx and installed it [which is presumably where the non-standard version of openSSL got installed too].

Anyway, thanks to a tip I found here, I was able to "downgrade" from my frankenstein version of Debian to plain ol' Wheezy by creating an /etc/apt/preferences file with the following content:

Package: *
Pin: release a=stable
Pin-Priority: 1001

and then running:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

…again. Apt complained a bit about not being able to overwrite Nginx, but the upgrades worked fine and openssl version -a is now reporting that we are secure and [hopefully] our hearts have stopped bleeding:

openssl version -a  

OpenSSL 1.0.1e 11 Feb 2013                                                                              
built on: Tue Apr  8 10:05:11 UTC 2014                                                                  
platform: debian-i386-i686/cmov                                                                         
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)                                    
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_E
NDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FO
RTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -march=i686 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA
32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD
160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM                                               
OPENSSLDIR: "/usr/lib/ssl"          

I did have to reinstall Nginx again as the upgrade process knackered something and I got a load of 502 Bad Gateway errors, but that only took a couple of minutes and my domains are all up and running again now.

[Sorry if the thread veered slightly off-topic there but it might help other folks who're trying to upgrade openssl and not getting anywhere. Might be worth checking that Apt has not become confused as to what Debian version is actually running on your server.]