Go to Pay4Bugs.com

The Pay4Bugs Blog

Pay4Bugs is the original pay per bug software testing marketplace. Our testers seek out and report problems with your software or website before they cause you to lose sales and customers.

How to Update Ubuntu to fix the Heartbleed SSL bug

Posted by Larry Salibra on · Comments

In case you haven't heard, a critical bug in the widely used OpenSSL library was disclosed earlier today.

Despite the cool name and vector logo, Heartbleed is one of the scariest security bugs to hit the Internet in a long time.

We patched our servers here at Pay4Bugs earlier today, so I thought I'd share with you how we went about it.

We run Ubuntu 12.04 LTS on our production servers. If you have automatic security updates enabled, your server will automatically update. But there's no harm in checking to make sure the update has been applied.

Step 1 - Check your current OpenSSL version

Run openssl version -a

[email protected]:~# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Jul 15 12:44:45 UTC 2013
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
[email protected]:~#

The built on date is what we're interested in. Make sure it's on or after April 7, 2014. If it's an earlier date like in the above example, your server is vulnerable.

Step 2 - Install the latest security updates

Run apt-get update followed by apt-get dist-upgrade

[email protected]:~# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  file libmagic1 libssl-dev libssl-doc libssl1.0.0 openssh-client openssh-server openssl
8 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,697 kB of archives.
After this operation, 2,048 B of additional disk space will be used.
Do you want to continue [Y/n]? y

You might need to restart your server if prompted.

Step 3 - Check to make sure the patched version of OpenSSL successfully installed

Run openssl version -a

[email protected]:~# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
[email protected]:~#

Comments