The recently discovered "Heart Bleed" bug in OpenSSL is an extremely critical security issue. Fixing it is relatively simple now that Ubuntu has pushed out changes to their repositories containing a fixed version of OpenSSL.
The following steps need to be run on each server that you generated a certificate or private key on. If you are using one certificate on multiple servers, then the cert needs to be revoked and regenerated on one of them and then pushed to each of the other servers.
UPDATE: Thanks to anonymous commenter for pointing out that relying solely on the build information is not completely accurate. Versions earlier than 1.0.1 are not vulnerable (although you should upgrade now that a fix is live for the latest version).
UPDATE: Thanks to anonymous commenter for pointing out that relying solely on the build information is not completely accurate. Versions earlier than 1.0.1 are not vulnerable (although you should upgrade now that a fix is live for the latest version).
First, to make sure you (for some reason) don't have the latest version, run the following commands:
openssl version -b
openssl version -a
openssl version -a
The response will look like:
OpenSSL 1.0.1 14 Mar 2012
OpenSSL 1.0.1 14 Mar 2012
built on: Wed Jan 8 20:45:51 UTC 2014
If the date is not more recent than older than "Mon Apr 7 20:33:29 UTC 2014" and the version is 1.0.1, then you are vulnerable to the Heart Bleed bug.
UPDATE: Reworded the above to make it clearer that the vulnerable versions were built before April 7th.
UPDATE: As James points out in the comments, different versions may have been built at different times, thus you should rely only on the date, not the time. Anything before Apr 7 is considered vulnerable.
UPDATE: Reworded the above to make it clearer that the vulnerable versions were built before April 7th.
UPDATE: As James points out in the comments, different versions may have been built at different times, thus you should rely only on the date, not the time. Anything before Apr 7 is considered vulnerable.
Next, update your repositories:
sudo apt-get update
Once this finishes, upgrade openssl:
UPDATE: use the install command to upgrade only openssl and libssl rather than upgrading everything on the server.
Once the upgrade finishes, check the version again. It should now read "Apr 7" or later.
Once the upgrade finishes, check the version again. It should now read "Apr 7" or later.
Now, you need to regenerate your certificate using a new private key. This process is the same as it as always been, but I am including the link here for posterity's sake:
(Use step 3 and replace the key and cert names with your existing ones to overwrite them).
Once finished, you need to restart your Apache server and any services using SSL.
Update: Now with video:
Once finished, you need to restart your Apache server and any services using SSL.
Update: Now with video:
Matt, per heartbleed.com, OpenSSL 0.9.8 branch is not vulnerable. So judging vulnerability by the date of the build isn't accurate.
ReplyDeleteThank you for pointing this out. I have updated the post accordingly - the main difference is to use "openssl version -a" and look at the version number.
DeleteThanks Matt. I got the answer now . I just did this sudo apt-get install -y libssl1.0.0 openssl. It worked
Deletei am not comuter savvy, i dont have ubuntu, so i am unsure if i need to do anything about this bug? i dont run any websites, i just use social media blogs. is there any thing i have to do?
ReplyDeleteYou shouldn't have to do anything. The services you use (Facebook, Twitter, etc.) are responsible for updating their sites (and have been all day).
Deletewell, Anonymous may wish to change his passwords once he's sure the services have updated their servers.
DeleteYou should probably update the following statement:
ReplyDelete> If the date is not more recent than "Mon Apr 7 20:33:29 UTC 2014"
since different builds of the fixed OpenSSL for different architectures were built at different times, some of them earlier than that, for example on my system it's "built on: Mon Apr 7 20:31:55 UTC 2014". I wasn't quite sure initially if that meant I was vulnerable or not, so you should probable update it to say anything built before April 7 is vulnerable.
Thanks for pointing this out - I am updating it now.
DeleteMaybe "If the date is not more recent than" should be changed to "If the date is older than". To me it currently reads as the build Apr 7 is vulnerable. (although contradicted in the next paragraph).
DeleteThanks for this guide though!
I am also not computer savvy- please feel free to ignore or delete this: I note that the procedure also does not appear to work for Ubuntu 13.04. Perhaps the reason is that ver. 13.04 is no longer being updated and maintained by Canonical.
ReplyDeleteI'd had the same problem and needed to patch some old 13.04 systems. Posted the builds we did here: http://invalidlogic.com/2014/04/10/openssl-heartbleed-patches-for-ubuntu-13-04/
DeleteThe digitalocean link is broken
ReplyDeleteThanks, should be fixed now.
DeleteHi Matthew,
ReplyDeleteHere is how it should look to fix issue:
sudo apt-get install openss llibssl1.0.0
you mean?
Deletesudo apt-get install openssl llibssl1.0.0
A rather big extra note is that you need to restart at least openssl for the fix to take effect. Simply upgrading while openssl is running will not resolve the issue.
ReplyDeleteWe have Outlook Web Access but do not use OpenSSL. However, one site that tested our site said bug is possible when linking against OpenSSL 1.0.1f or older. What do I need to do to patch this?
ReplyDeleteFollowed these steps and rebooted. Didn't work.. still have build date of Jan 8 2014.
ReplyDeleteSame problem here.
DeleteWhat is the solution??
same problem how solve this
DeleteOh, this is upgrading all packages on Ubuntu, not only openssl, if you do "apt-get upgrade" you get the same as "apt-get upgrade openssl"
ReplyDeleteI see what you mean, I don't want to upgrade all packages (php, mysql, etc) to the latest versions, just openssl. How to do this?
DeleteThis comment has been removed by the author.
Delete"apt-get install openssl" should install the latest version.
DeleteIt unfortunately updating whole server that can affect other behavior of the server. Please let me know if you find one solution, even I'm searching
ReplyDeleteIf you just do sudo apt-get install openssl libssl1.0.0 it will only update those packages.
DeleteWhy does "opensll verison -a" still show the version 1.0.1 14 Mar 2012, while the -b shows updated date of April 7th?
ReplyDeleteThey're right.. you need to update both the openssl and the libssl1.0.0 packages or else you're still affected.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteNow there are no leaks..! But why updating ssl certificates? Is it necessary or just being safer?
ReplyDeletebecause yor keys might have been stolen before updating the openssl stuff
DeleteAfter update i am getting
ReplyDeletebuilt on: Wed Jan 8 20:51:55 UTC 2014
only
same for me - something to do with the repos maybe?
DeleteSame for me, I can't get it to update the build.
Deletehttp://www.ubuntu.com/usn/usn-2165-1/
DeleteWhen I update my openSSL version on Ubuntu13.04 --- I can only download OpenSSL 1.0.1c 10 May 2012
ReplyDeleteTried changing my repos - no joy!
If you need to test this on your own server, you can download the code and run it yourself;
ReplyDeletehttp://www.podciborski.co.uk/unix/heart-bleed-exploit-example-code/
Very helpful... Thanks :D
ReplyDelete