How to patch the Vulnerability [CVE-2014-0224] in OpenSSL?

security openssl

11,128

Solution 1

The answer given does not answer the question, and as far as the latest package for x86_64 14.04 the latest openssl package info is (if others have dif please let me know):

openssl:
  Installed: 1.0.1f-1ubuntu2.3
  Candidate: 1.0.1f-1ubuntu2.3
  Version table:
 *** 1.0.1f-1ubuntu2.3 0
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty-updates/main amd64 Packages
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty-security/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1f-1ubuntu2 0
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

I have been messing around with installing/upgrading that to version 1.0.1h from HERE with no luck yet, when I make some headway I will check back in.

*****UPDATE: So I found the solution on another thread that just needed to be updated (source post listed below):**

Below the single command line to compiling and install the last openssl version.

curl https://www.openssl.org/source/openssl-1.0.1h.tar.gz | tar xz && cd openssl-1.0.1h && sudo ./config && sudo make && sudo make install

Replace old openssl binary file by the new one via a symlink. Go to /usr/bin in terminal and run command below

sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`

Reboot and you are good to go. You may want/need to create new certificates. Here is the original thread/post I updated. SOURCE

My output after running commands and rebooting:

OpenSSL 1.0.1h 5 Jun 2014
built on: Sat Jun 14 22:43:13 EDT 2014
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Solution 2

Make sure you have a currently supported release: 10.04-server, 12.04, 14.04 or 13.10.

~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.4 LTS
Release:    12.04
Codename:   precise

Make sure you install the latest updates. sudo apt-get update && sudo apt-get upgrade

Verify. apt-cache policy openssl should show as installed version 1.0.1-4ubuntu5.14.

apt-cache policy openssl
openssl:
  Installed: 1.0.1-4ubuntu5.14
  Candidate: 1.0.1-4ubuntu5.14
  Version table:
 *** 1.0.1-4ubuntu5.14 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main i386 Packages
        500 http://archive.ubuntu.com/ubuntu/ precise-security/main i386 Packages
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main i386 Packages
        100 /var/lib/dpkg/status

Restart any services or the system just to be sure.

11,128

Shadin

Updated on September 18, 2022

Comments

Shadin over 1 year

I've received a warning from the authority that generated my certificate, it says that there is bug in OpenSSL and it has been found affecting versions 1.0.1.

As I understand, I have to upgrade to 1.0.1h to fix this bug.

This is the first time I deal with these stuff and I'm worried about how it will affect my server.

Do I have to restart any services? And what exactly? I have to make sure this is not going to take too long.
- VenkiPhy6 almost 10 years
  
  @cshubhamrao This is not the heartbleed bug. This is a different one. So not a dupe.
- cshubhamrao almost 10 years
  
  Really sorry, my bad.
- theTuxRacer almost 10 years
  
  Just as an FYI, you will not need to change/renew your certificate.
trysis almost 10 years

apt-get update and apt-get upgrade are the same command by default on many (most?) systems. The user has to specifically make them not the same by changing a setting somewhere.
Admin almost 10 years

@trysis update updates the package sources, upgrade updates actual packages, so they aren't the same and both are needed (unless that was changed).
Shadin almost 10 years

am gonna install the update from here openssl.org/source [ openssl-1.0.1h.tar.gz] is it the same version [1.0.1-4ubuntu5.14] ?
mikewhatever almost 10 years

Not sure why you'd do that. I'd recommend installing updates from the Ubuntu repositories only if possible. The version is not the same, as the numbering tells.
Shadin almost 10 years

i found this earlier digicert.com/openssl-ccs-injection-fix.htm you see the patches list at the Remediation/Fix section. what do you think of this?
dobey almost 10 years

This doesn't properly answer how to update in Ubuntu to get the fix; which is to simply install the updates from the security updates channel. Also, the bug affects both clients and servers, and is only exploitable by some path between both endpoints, when both endpoints are vulnerable.
dobey almost 10 years

@Shadin that clearly says "update from your vendor." In this case, the "vendor" is Ubuntu, and those updates are available, and should be installed.
saiarcot895 almost 10 years

That's because Ubuntu doesn't publish completely new versions of software in released distros; they take the patches that address the security/functionality issues and apply them to the existing version, hence the .3 at the end of the version string.
saiarcot895 almost 10 years

10.04 is also supported for this package, I think.
mikewhatever almost 10 years

@saiarcot895 Thanks, you are quite right. Corrected above.
J Bourne over 9 years

John..You are the man...! Super like for this answer