OpenSSL Bug: Heartbleed

I upgrade my OpenSSL:



Code: 
# cd /usr/src
# wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -xvzf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g


# ./config --prefix=/usr no-threads shared
# make
# make test
# make install

# openssl version
OpenSSL 1.0.1g 7 Apr 2014

and restart PVE Demon:

Code: 
# /etc/init.d/pvedaemon restart

Test with: https://github.com/titanous/heartbleeder

Code: 
# ./heartbleeder ********:8006
INSECURE - ********:8006 has the heartbeat extension enabled and is vulnerable

What i need to do?
 
Hello,

minimal upgrade:
Code: 
aptitude upgrade libssl1.0.0
/etc/init.d/pveproxy restart

or with Apache Reverse Proxy:
Code: 
aptitude upgrade apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common
/etc/init.d/apache2 restart

esco
 
Paulina Stopa said:
I upgrade my OpenSSL:



Code: 
# cd /usr/src
# wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -xvzf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g


# ./config --prefix=/usr no-threads shared
# make
# make test
# make install

# openssl version
OpenSSL 1.0.1g 7 Apr 2014

and restart PVE Demon:

Code: 
# /etc/init.d/pvedaemon restart

Test with: https://github.com/titanous/heartbleeder

Code: 
# ./heartbleeder ********:8006
INSECURE - ********:8006 has the heartbeat extension enabled and is vulnerable

What i need to do?
Click to expand...

you need to restart pveproxy.

> service pveproxy restart
 
btw: the stable branch of openssl (0.9.8) in debian 6 is not affected by this vulnerability (neither is SLES11).
 
tom said:
you need to restart pveproxy.
> service pveproxy restart
Click to expand...

I found out that port 8006 of my server was still vulnerable today, although openssl was (automatically) updated few hours after 0.
Isn't it possible to configure the debian package such that it automatically restarts, as was the case e.g. for the Apache service? Otherwise security updates may have no effect, as in this case.
 
Is there any reference about how to recreate the self signed certificate included in proxmox to deal with the bug?

what commands are needed?
 
mir said:
Why install from source when a patched openssl package is available from debian?
Click to expand...

I'm on Debian 7.4 wheezy with Proxmox. "openssl version" responds with "OpenSSL 1.0.1e 11 Feb 2013". apt-get update && apt-get upgrade does not install the patched version. My sources.list contains the line "deb http://security.debian.org/ wheezy/updates main contrib".
The same is with various turnkey debian wheezy servers (CT and/or VM). Plain Debian wheezy guests are ok. Anyone any idea?
(All servers are on local nets.)
 
dms2014 said:
I'm on Debian 7.4 wheezy with Proxmox. "openssl version" responds with "OpenSSL 1.0.1e 11 Feb 2013". apt-get update && apt-get upgrade does not install the patched version. My sources.list contains the line "deb http://security.debian.org/ wheezy/updates main contrib".
The same is with various turnkey debian wheezy servers (CT and/or VM). Plain Debian wheezy guests are ok. Anyone any idea?
(All servers are on local nets.)
Click to expand...
The same here:
openssl version
OpenSSL 1.0.1e 11 Feb 2013

But this is the patched version from Debian if you see below:
$ dpkg -s openssl
Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 1081
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Architecture: amd64
Version: 1.0.1e-2+deb7u6
 
This is guess work on my end, but I guess it went like this: debian disabled the heartbeat extension in openssl and because its just an extension maybe they didnt have to produce a new build, which is why "openssl version" still reports the old build date because the fixed debian package doesnt actually contain a new build. this is really rather confusing but apparently you have to check via "dpkg -s openssl" (or dpkg --list or any other means through apt) whether or not you're sporting the fix whereas for redhat based systems "openssl version" will do.

On the plus side: the post-upgrade script for libssl in debian offers to automatically restart all the affected services (only the ones that ship with debian tho, so it wont restart pveproxy for you) whereas ubuntu just claims that you have to reboot your machine after updating...
 
mir said:
The same here:
openssl version
OpenSSL 1.0.1e 11 Feb 2013

But this is the patched version from Debian if you see below:
$ dpkg -s openssl
Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 1081
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Architecture: amd64
Version: 1.0.1e-2+deb7u6
Click to expand...

mir, thank You for the tranquilizer ;)
I should have read this before: http://www.debian.org/security/2014/dsa-2896 , especially the appropriate line (wheezy).
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back