https://blog.okturtles.org/2014/04/how-to-update-openssl-on-debian-testing-jessie-for-heartbleed/



This post is about the OpenSSL Heartbleed vulnerability that’s affecting the internet right now and not directly related to the okTurtles project.

April 8, 2014 6PM EST: Looks like for this one the Debian team moved faster than their typical “minimum two-day migration” and got the fix into testing a couple of minutes ago. Good job! You can completely ignore this blog post now! I’ll leave it up in case it’s still a helpful illustration of how to get security fixes for testing when they’re not yet available.


Some versions of Debian still remain without a fix for Heartbleed. Click here to check the status of CVE-2014-0160 (aka Heartbleed) on Debian.

For reasons beyond my comprehension, Debian testing will likely be the last of the debian releases to receive the fix (after unstable and stable):

Q: How is security handled for testing?

A: Security for testing benefits from the security efforts of the entire project for unstable. However, there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.

So, what to do if you are running Debian testing and want this fix now? You have a few options to choose from:

  1. Backup and reinstall Debian stable. (You probably don’t want to do this.)
  2. Upgrade to ‘sid’ aka ‘unstable’. (You probably don’t want to do this.)
  3. Grab the fixed version of OpenSSL from unstable.

This tutorial while guide you through the third option above. Here’s the quick run-down of what we’re going to do:

  1. Install prereqs
  2. Add sid to apt’s sources.list
  3. Verify that OpenSSL >= 1.0.1g is available
  4. Install OpenSSL >= 1.0.1g
  5. Undo step #2 (very important!)
  6. Restart machine or individual services
  7. Verify the fix is in!

Step 1: Install the prerequisites

‘debhelper’ will be needed to build openssl from source (while the binary remains unavailable in the repos), and ‘needrestart’ will be useful after we update libssl (to know which serves need a restart).

Step 2: Add sid to apt’s sources.list

Edit /etc/apt/sources.list and add these two lines to the bottom:

Note that not all package mirrors might have the fixed version of OpenSSL in them. I know that the one above has at least the source files (though not the binary as of this writing).

Now save the file and run (as root): apt-get update

Step 3: Verify OpenSSL >= 1.0.1g is available for installation

Run apt-cache policy openssl and check the output to see if OpenSSL version 1.0.1g or greater is available. Note that as of this writing only the patched source is available for installation. You can run apt-cache show openssl to check the version on the binary, and apt-cache showsrc openssl to verify that at least >=1.0.1g of the source is available.

If the binary is at the right version, then use the standard ‘install’ command to install that and skip Step 4 below. Otherwise, continue on to install from source.

Step 4: Install OpenSSL from source (if no binary available)

Step 5: IMPORTANT! Comment out the sources.list & apt-get update again!

Now edit the file from Step 2 above to comment out (or remove) the repositories that you added, and then run apt-get update to make sure that you don’t accidentally install other software from sid.

Step 6: Restart the machine or restart affected services

Restarting your machine is the safest bet to ensuring that all apps that use libssl get the fix. If you don’t want to do that, then you can use the handy ‘needrestart’ command from Step 1 to check what services need restarting by simply running: needrestart -r l

Step 7: Verify and re-create private keys and certificates as necessary

If you’re running services on Debian testing (something that some in the Debian community frown upon, encouraging users instead to stay on stable), then head over to this wonderful site and test your site:

It’s recommended that you create new private keys, revoke prior certificates, and issue new ones.

If you’ve been following our work, you’ll know that we advocate using the blockchain for all these purposes. Unlike traditional Certificate Authorities, you don’t need to pay money for a new certificate, you don’t need to wait on anyone to revoke and re-issue it, and there are no faxes to send!

That’s all folks! Hope this was helpful!

Thanks to somiaj, rjsalts, centrx and peterS on #debian for helping me figure this out!