Heartbleed

Anyone know when Debian (and in particular, Debian ARM) will be pushing the fixes for the openssl Heartbleed bug? (Or am I missing something?)

restamp,

They did. Do apt-get ugrade and check:

dpkg -l | grep -i openssl

ii  libcurl3:armel                         7.26.0-1+wheezy8              armel        easy-to-use client-side URL transfer library (OpenSSL flavour)
ii  libcurl4-openssl-dev                   7.26.0-1+wheezy8              armel        development files and documentation for libcurl (OpenSSL flavour)
ii  libgnutls-openssl27:armel              2.12.20-8+deb7u1              armel        GNU TLS library - OpenSSL wrapper
ii  openssl                                1.0.1e-2+deb7u6               armel        Secure Socket Layer (SSL) binary and related cryptographic tools
ii  python-openssl                         0.13-2+deb7u1                 armel        Python 2 wrapper around the OpenSSL library
ii  ssl-cert

1.0.1e-2+deb7u6 is the new version that has the fix.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

Hmm. I'm still sitting at 1.0.1e-2+deb7u4 after an "apt-get update; apt-get upgrade" (which did nothing). What are you using as the repositories bodhi?

OK, after a bit of investigation, I changed my /etc/apt/sources.list from:

deb http://ftp.us.debian.org/debian wheezy main

to

deb http://http.debian.net/debian wheezy main
deb-src http://http.debian.net/debian wheezy main

deb http://http.debian.net/debian wheezy-updates main
deb-src http://http.debian.net/debian wheezy-updates main

deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main

After doing this, it pulled down a number of updates including the desired 1.0.1e-2+deb7u6.

So, did I go to far with this? Is this a good set of repositories? What are yours?

Hi restamp,

Yes, I think you did. But my is slightly different. I included contrib non-free to get all the security updates for packages that are not in mainline Debian. However, this might not be neccessary if you never install things that are out-of-distribution.

deb http://ftp.us.debian.org/debian wheezy main
deb http://security.debian.org/ wheezy/updates main contrib non-free

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

Thanks, bodhi. The addition of the security repository pulled in a number of (probably much overdue) updates. I'm not sure where I got the singular line in my sources.list. I think it was what was recommended when upgrading from Squeeze to Wheezy. In any event, I'm slowly learning something about an area of Debian that I was not very familiar with.

As a experiment, on my test server, I first added the six entries shown above, ran an update/upgrade (which pulled in lots of stuff), and then added "contrib non-free" components to the security repository. I then re-ran the update/upgrade/dist-upgrade and found nothing new was added. Thus, I think that for now I don't need these components. I am curious what security packages are desirable to have that are non-free.

In any event, here is what I am currently using on my active Pogoplug servers:

deb http://ftp.us.debian.org/debian wheezy main
deb http://security.debian.org/ wheezy/updates main

Thanks again.

Hi restamp,

I recall that I added the contrib non-free repo area back when wheezy was still in testing. And some packages were included in the upgrade, but they were not yet conformed to DFSG (Debian Free Software Guidelines). But after Sept 2013 (in my upgrade log), no packages from this repo area appeared on the log. So I think they were finally accepted into the main area.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 1 time(s). Last edit at 04/14/2014 06:40PM by bodhi.

And I must say, what a mess this Heartbleed bug has caused! it's a pain-in-the-you-know-where finding info about which website you have account that was affected by this and whether they have patched it (they should have by now) :)

Some interesting info:
http://www.bbc.com/news/technology-26971363

Note that Amazon is not affected. But if you have used the same Amazon password for other site(s) then still best to change Amazon password as precaution.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 1 time(s). Last edit at 04/14/2014 06:51PM by bodhi.

Bodhi, I agree, and it's even more problematic if you run servers on the internet, as I do. I don't actually have anything of value sitting behind Apache TLS here -- I do run https on one server, but it's really only to experiment with. However, https seems to be the service everyone is interested in. I'm personally more concerned as to whether I need to regenerate my sendmail TLS keys, and whether my DNS servers could have been breached. Even NTP is apparently affected, although I can't conceive what useful data could have been purloined there. I understand sshd is safe -- apparently it uses the openssl crypto libs, but implements its own secure channel, not employing TLS.

FWIW, I've been keeping the following URL in a browser tab:

http://tif.mcafee.com/heartbleedtest

Before I visit any site that is at all sensitive, I plug the site domainname into it. So far, every site I've encountered has been patched according to McAfee. Of course, I understand there are still half a million sites waiting for new site certs, so a patched openssl may not be the total answer, but for now I suppose it is the best we can do.

Just patched the last of my Pogoplugs. The only unpatched box I apparently have right now is Linux Mint, but it's sitting behind a firewall and doesn't serve up anything. Anyway, it's past time to hit the sack.

Thanks again.

Thanks for the link restamp! very helpful. Great that we do have some way to confirm that the site we're about to visit was patched.

I also took down my web server and regenerate the keys.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

FYI.

openssl update.
https://www.debian.org/security/2014/dsa-2931

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

Thanks, bodhi.

my goflex reports openssl at 1.0.1e-2+deb7u9. i'm assuming then that anything greater than 1.0.1e-2+deb7u6 should be safe, as far as we know.

Yes, anything greater than 1.0.1e-2+deb7u6 is safe from Heartbleed... otoh, I think it's good to update to the latest openssl version whenever there is a security update for it.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

FYI.

openssl updates.
http://www.openssl.org/news/secadv_20140605.txt

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)