7

I've received a warning from the authority that generated my certificate, it says that there is bug in OpenSSL and it has been found affecting versions 1.0.1.

As I understand, I have to upgrade to 1.0.1h to fix this bug.

This is the first time I deal with these stuff and I'm worried about how it will affect my server.

Do I have to restart any services? And what exactly? I have to make sure this is not going to take too long.

Shadin
  • 1,227
  • 5
  • 14
  • 17

3 Answers3

6

  1. Make sure you have a currently supported release: 10.04-server, 12.04, 14.04 or 13.10.

    ~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.4 LTS
Release:    12.04
Codename:   precise

  2. Make sure you install the latest updates. sudo apt-get update && sudo apt-get upgrade

  3. Verify. apt-cache policy openssl should show as installed version 1.0.1-4ubuntu5.14.

    apt-cache policy openssl
openssl:
  Installed: 1.0.1-4ubuntu5.14
  Candidate: 1.0.1-4ubuntu5.14
  Version table:
 *** 1.0.1-4ubuntu5.14 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main i386 Packages
        500 http://archive.ubuntu.com/ubuntu/ precise-security/main i386 Packages
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main i386 Packages
        100 /var/lib/dpkg/status

  4. Restart any services or the system just to be sure.

mikewhatever
  • 32,638
  • apt-get update and apt-get upgrade are the same command by default on many (most?) systems. The user has to specifically make them not the same by changing a setting somewhere. – trysis Jun 07 '14 at 16:10
  • 1
    @trysis update updates the package sources, upgrade updates actual packages, so they aren't the same and both are needed (unless that was changed). –  Jun 07 '14 at 16:13
  • Sorry, I was thinking of yum-update vs yum-upgrade. – trysis Jun 07 '14 at 16:33
  • am gonna install the update from here https://www.openssl.org/source/ [ openssl-1.0.1h.tar.gz] is it the same version [1.0.1-4ubuntu5.14] ? – Shadin Jun 07 '14 at 18:14
  • 1
    Not sure why you'd do that. I'd recommend installing updates from the Ubuntu repositories only if possible. The version is not the same, as the numbering tells. – mikewhatever Jun 07 '14 at 19:58
  • i found this earlier https://www.digicert.com/openssl-ccs-injection-fix.htm you see the patches list at the Remediation/Fix section. what do you think of this? – Shadin Jun 07 '14 at 20:33
  • @Shadin that clearly says "update from your vendor." In this case, the "vendor" is Ubuntu, and those updates are available, and should be installed. – dobey Jun 11 '14 at 22:13
  • 10.04 is also supported for this package, I think. – saiarcot895 Jun 15 '14 at 03:01
  • @saiarcot895 Thanks, you are quite right. Corrected above. – mikewhatever Jun 15 '14 at 16:23
4

The answer given does not answer the question, and as far as the latest package for x86_64 14.04 the latest openssl package info is (if others have dif please let me know):

openssl:
  Installed: 1.0.1f-1ubuntu2.3
  Candidate: 1.0.1f-1ubuntu2.3
  Version table:
 *** 1.0.1f-1ubuntu2.3 0
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty-updates/main amd64 Packages
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty-security/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1f-1ubuntu2 0
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

I have been messing around with installing/upgrading that to version 1.0.1h from HERE with no luck yet, when I make some headway I will check back in.

*****UPDATE: So I found the solution on another thread that just needed to be updated (source post listed below):**

Below the single command line to compiling and install the last openssl version.

curl https://www.openssl.org/source/openssl-1.0.1h.tar.gz | tar xz && cd openssl-1.0.1h && sudo ./config && sudo make && sudo make install

Replace old openssl binary file by the new one via a symlink. Go to /usr/bin in terminal and run command below 

sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`

Reboot and you are good to go. You may want/need to create new certificates. Here is the original thread/post I updated. SOURCE

My output after running commands and rebooting:

OpenSSL 1.0.1h 5 Jun 2014
built on: Sat Jun 14 22:43:13 EDT 2014
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
Community
  • 1
JohnRB
  • 172
  • 1
  • 5
  • That's because Ubuntu doesn't publish completely new versions of software in released distros; they take the patches that address the security/functionality issues and apply them to the existing version, hence the .3 at the end of the version string. – saiarcot895 Jun 15 '14 at 03:00
  • John..You are the man...! Super like for this answer – J Bourne Feb 03 '15 at 07:56
0

The vulnerability affects OpenSSL clients. Clients using OpenSSL versions below 1.0.1 connecting to servers running OpenSSL versions 1.0.1 and higher are vulnerable and should be updated.

The OpenSSL team has released a new versions.

The only way to fix it is to install updated OpenSSL packages and restart affected services. At this time, this doesn't cause certificate or private key information leaking.

For more information see here

Mitch
  • 107,631
  • 1
    This doesn't properly answer how to update in Ubuntu to get the fix; which is to simply install the updates from the security updates channel. Also, the bug affects both clients and servers, and is only exploitable by some path between both endpoints, when both endpoints are vulnerable. – dobey Jun 11 '14 at 22:12