Unless you've been living behind the moon in the past 24 hours you've probably heard about 'Heartbleed', the latest and greatest secure http vulnerability that Bruce Schneier gives it an 11 on a scale from 1 to 10. Indeed, it's as bad as it can get.
As I have a number of (Debian based) Raspberry Pi servers on which I host my Owncloud, Selfoss and a couple of other things I was of also affected and scrambled to get my shields back up. Fortunately the guys at Raspberry reacted quickly and offered the SSL fix in the Raspian repository quickly. Once that was done I got a new SSL certificate for my domain name, distributed it to my servers and then updated all my passwords used on those systems. Two hours later… and I'm done.
And here's two quotes from Bruce's blog that make quite clear of how bad the situation really is:
"At this point, the odds are close to one that every target has had its private keys extracted by multiple intelligence agencies."
and
"The real question is whether or not someone deliberately inserted this bug into OpenSSL"
I'm looking forward to the investigation who's responsible for the bug. As 'libssl' is open source it should be possible to find out who modified that piece of code in 2011.
I have updated my raspi with debian wheezy as well, but after all updates have been applied, I still have openssl version 1.0.1e (which is vulnerable). What am I doing wrong?
Hi Stefan,
I think the press is simplyfing this a bit by focusing on the letter behind the version number. According to
–> https://security-tracker.debian.org/tracker/CVE-2014-0160
the issue is fixed in
–> libssl-doc/wheezy uptodate 1.0.1e-2+rvt+deb7u6
The deb7u6 is the indicator! Before my update it was deb7u4 which is marked in red as vulnerable on the page above and now it’s deb7u6 while 1.0.1e did not change. Probably they don’t change the version number due to the backport. I ran one of the web tools that check for the vulnerability against my server and it said it’s patched now (but I didn’t check before the update as I wasn’t aware of the tool).
On Ubuntu, for example, there’s not even an ‘e’ or ‘g’ at all, here it’s 5.11 = vulnerable, 5.12 = fixed:
–> libssl1.0.0/precise-security upgradeable from 1.0.1-4ubuntu5.11 to 1.0.1-4ubuntu5.12
Summary: check the version number of libssl, if it has a ‘deb7u6’ at the end you should be o.k. 🙂
Hope this helps,
Martin