Heartbleed vulnerability
13 views
Skip to first unread message
Jamie Orchard-Hays
Apr 8, 2014, 12:50:01 PM4/8/14
to railsmachin...@googlegroups.com
Since I'm managing with moonshine, what's the proper way to upgrade OpenSSL on my Ubuntu 12.04 servers which have OpenSSL 1.0.1 on them?
http://heartbleed.com
Cheers,
Jamie
http://heartbleed.com
Cheers,
Jamie
Kevin Lawver
Apr 8, 2014, 12:53:56 PM4/8/14
to railsmachin...@googlegroups.com
Puppet doesn't look to have a way to ensure the version is > a certain version or even enforce a particular version, so I'd do the following:
- cap STAGE shell
- sudo apt-get update && sudo apt-get install openssl -y
That should make sure it gets upgraded to the latest patched version.
> --
> You received this message because you are subscribed to the Google Groups "Moonshine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to railsmachine-moon...@googlegroups.com.
> To post to this group, send email to railsmachin...@googlegroups.com.
> Visit this group at http://groups.google.com/group/railsmachine-moonshine.
> For more options, visit https://groups.google.com/d/optout.
- cap STAGE shell
- sudo apt-get update && sudo apt-get install openssl -y
That should make sure it gets upgraded to the latest patched version.
> You received this message because you are subscribed to the Google Groups "Moonshine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to railsmachine-moon...@googlegroups.com.
> To post to this group, send email to railsmachin...@googlegroups.com.
> Visit this group at http://groups.google.com/group/railsmachine-moonshine.
> For more options, visit https://groups.google.com/d/optout.
Kevin Lawver
Apr 8, 2014, 12:57:14 PM4/8/14
to railsmachin...@googlegroups.com
Actually, you could add the following to a recipe:
package 'openssl',
:ensure => :latest
And that should make sure it's the latest version on every deploy.
package 'openssl',
:ensure => :latest
And that should make sure it's the latest version on every deploy.
Jamie Orchard-Hays
Apr 8, 2014, 12:58:36 PM4/8/14
to railsmachin...@googlegroups.com
Thanks, Kevin. Did that and servers report back:
"openssl is already the newest version"
Which obviously is not.
Best way to get apt-get to update the available software?
Cheers,
Jamie
"openssl is already the newest version"
Which obviously is not.
Best way to get apt-get to update the available software?
Cheers,
Jamie
Kevin Lawver
Apr 8, 2014, 1:02:49 PM4/8/14
to railsmachin...@googlegroups.com
apt-get update should run at the beginning of each deploy. You should confirm that it didn't already upgrade it (like if you have unattended-upgrades set to automatically install security fixes). SSH into one of the servers, and run: sudo dpkg -l | grep openssl and check the version against the ubuntu security notice about the vulnerability: http://www.ubuntu.com/usn/usn-2165-1/
If it's been upgraded, it should be 1.0.1-4ubuntu5.12 or greater.
Jamie Orchard-Hays
Apr 8, 2014, 1:26:30 PM4/8/14
to railsmachin...@googlegroups.com
Thanks for your help, Kevin. I'm confused by what my servers are telling me:
sudo dpkg -l | grep openssl
ii openssl 1.0.1-4ubuntu5.12 Secure Socket Layer (SSL) binary and related cryptographic tools
ii python-openssl 0.12-1ubuntu2.1
But:
openssl version
OpenSSL 1.0.1 14 Mar 2012
I've rebooted. What am I missing here?
Jamie
Kevin Lawver
Apr 8, 2014, 1:28:34 PM4/8/14
to railsmachin...@googlegroups.com
You have the correct version installed. Ubuntu doesn't normally change the release date because they backport fixes (so they've fixed just the security bug but haven't upgraded to a new release of OpenSSL).
Jamie Orchard-Hays
Apr 8, 2014, 1:30:43 PM4/8/14
to railsmachin...@googlegroups.com
Thanks. I was going nuts wondering why it wasn't installing, but it was. Cheers!
Jamie
Reply all
Reply to author
Forward
0 new messages