Heartbleed vulnerability

13 views
Skip to first unread message

Jamie Orchard-Hays

unread,
Apr 8, 2014, 12:50:01 PM4/8/14
to railsmachin...@googlegroups.com
Since I'm managing with moonshine, what's the proper way to upgrade OpenSSL on my Ubuntu 12.04 servers which have OpenSSL 1.0.1 on them?

http://heartbleed.com

Cheers,

Jamie

Kevin Lawver

unread,
Apr 8, 2014, 12:53:56 PM4/8/14
to railsmachin...@googlegroups.com
Puppet doesn't look to have a way to ensure the version is > a certain version or even enforce a particular version, so I'd do the following:

- cap STAGE shell
- sudo apt-get update && sudo apt-get install openssl -y

That should make sure it gets upgraded to the latest patched version.
> --
> You received this message because you are subscribed to the Google Groups "Moonshine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to railsmachine-moon...@googlegroups.com.
> To post to this group, send email to railsmachin...@googlegroups.com.
> Visit this group at http://groups.google.com/group/railsmachine-moonshine.
> For more options, visit https://groups.google.com/d/optout.

Kevin Lawver

unread,
Apr 8, 2014, 12:57:14 PM4/8/14
to railsmachin...@googlegroups.com
Actually, you could add the following to a recipe:

package 'openssl',
:ensure => :latest

And that should make sure it's the latest version on every deploy.

On Apr 8, 2014, at 12:50 PM, Jamie Orchard-Hays <jami...@gmail.com> wrote:

Jamie Orchard-Hays

unread,
Apr 8, 2014, 12:58:36 PM4/8/14
to railsmachin...@googlegroups.com
Thanks, Kevin. Did that and servers report back:

"openssl is already the newest version"

Which obviously is not.

Best way to get apt-get to update the available software?

Cheers,

Jamie

Kevin Lawver

unread,
Apr 8, 2014, 1:02:49 PM4/8/14
to railsmachin...@googlegroups.com
apt-get update should run at the beginning of each deploy.  You should confirm that it didn't already upgrade it (like if you have unattended-upgrades set to automatically install security fixes).  SSH into one of the servers, and run: sudo dpkg -l | grep openssl and check the version against the ubuntu security notice about the vulnerability: http://www.ubuntu.com/usn/usn-2165-1/

If it's been upgraded, it should be 1.0.1-4ubuntu5.12 or greater.

Jamie Orchard-Hays

unread,
Apr 8, 2014, 1:26:30 PM4/8/14
to railsmachin...@googlegroups.com
Thanks for your help, Kevin. I'm confused by what my servers are telling me:

sudo dpkg -l | grep openssl
ii  openssl                          1.0.1-4ubuntu5.12                 Secure Socket Layer (SSL) binary and related cryptographic tools
ii  python-openssl                   0.12-1ubuntu2.1  

But:

openssl version
OpenSSL 1.0.1 14 Mar 2012

I've rebooted. What am I missing here?

Jamie

Kevin Lawver

unread,
Apr 8, 2014, 1:28:34 PM4/8/14
to railsmachin...@googlegroups.com
You have the correct version installed.  Ubuntu doesn't normally change the release date because they backport fixes (so they've fixed just the security bug but haven't upgraded to a new release of OpenSSL).

Jamie Orchard-Hays

unread,
Apr 8, 2014, 1:30:43 PM4/8/14
to railsmachin...@googlegroups.com
Thanks. I was going nuts wondering why it wasn't installing, but it was. Cheers!

Jamie
Reply all
Reply to author
Forward
0 new messages