In case you haven't heard, a critical bug in the widely used OpenSSL library was disclosed earlier today.
Despite the cool name and vector logo, Heartbleed is one of the scariest security bugs to hit the Internet in a long time.
We patched our servers here at Pay4Bugs earlier today, so I thought I'd share with you how we went about it.
We run Ubuntu 12.04 LTS on our production servers. If you have automatic security updates enabled, your server will automatically update. But there's no harm in checking to make sure the update has been applied.
Step 1 - Check your current OpenSSL version
Run openssl version -a
root@sin1:~# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Jul 15 12:44:45 UTC 2013
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
root@sin1:~#
The built on
date is what we're interested in. Make sure it's on or after April 7, 2014. If it's an earlier date like in the above example, your server is vulnerable.
Step 2 - Install the latest security updates
Run apt-get update
followed by apt-get dist-upgrade
root@www:~# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
file libmagic1 libssl-dev libssl-doc libssl1.0.0 openssh-client openssh-server openssl
8 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,697 kB of archives.
After this operation, 2,048 B of additional disk space will be used.
Do you want to continue [Y/n]? y
You might need to restart your server if prompted.
Step 3 - Check to make sure the patched version of OpenSSL successfully installed
Run openssl version -a
root@discuss:~# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
root@discuss:~#