Why unattended-upgrades does not fix heartbleed bug?
Solution 1
You do not have the Heartbleed vulnerability on your server, OpenSSL has been patched to fix this issue (without upgrading it).
You have left out several important lines in the OpenSSL version output, that's how you know it's been patched, not with the version number:
openssl version -a ✭
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr 7 20:33:19 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
The 'build on' line is what matters here, Apr. 7 or after: you're good. Otherwise: you're in trouble.
Update, since the build date doesn't seem to be good:
Maybe the unattended upgrade hasn't run yet, on my server the scripts in cron.daily are configured to run at 6:25
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
Also, check the contents of /etc/apt/apt.conf.d/10periodic and check that security updates are installed:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
Source: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
Solution 2
First, you need to perform the upgrade. Unattended-upgrades only runs once a day, and it's been less than 1 day since the fix came out (2014-04-07 around 20:00 GMT). For saucy, make sure that you've upgraded to libssl1.0.0 version 1.0.1e-3ubuntu1.2 or greater. (In precise, the fix came in version 1.0.1-4ubuntu5.12.)
Next, note that this is a very bad vulnerability: it may have allowed attackers to obtain confidential data by connecting to your vulnerable server. If you're running an SSL server, then any data that was in the server's memory since a little before the vulnerability was announced may have been leaked. This includes, in particular, the server's SSL private key, so you should generate a new one and revoke the old one.
For more information, see How to patch the Heartbleed bug (CVE-2014-0160) in OpenSSL?
Solution 3
You can't trust in internal version strings. The version says 1.0.1e and the bug affects from 1.0.0 through 1.0.0f. Is this enough to determine if you have still a vulnerable version of openssl? No. OpenSSL internal version doesn't change, even trough some updates are applied. The only way to reliably identify your version is looking to the package manager version using apt-cache policy or other tool:
➜ ~ apt-cache policy openssl
openssl:
Installed: 1.0.1f-1
Candidate: 1.0.1f-1
Version table:
*** 1.0.1f-1 0
500 http://http.debian.net/debian/ testing/main i386 Packages
100 /var/lib/dpkg/status
➜ ~ dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii openssl 1.0.1f-1 i386 Secure Sockets Layer toolkit - cr
➜ ~
As you can see, my version of openssl is superior, through appears to be affected, since it's 1.0.1f, now if I check the changelogs:
➜ ~ apt-get changelog openssl
openssl (1.0.1f-1) unstable; urgency=high
* New upstream version
- Fix for TLS record tampering bug CVE-2013-4353
- Drop the snapshot patch
* update watch file to check for upstream signature and add upstream pgp key.
* Drop conflicts against openssh since we now on a released version again.
-- Kurt Roeckx <[email protected]> Mon, 06 Jan 2014 18:50:54 +0100
Yeah, I'm still affected. There's no reference to the CVE-2014-0160 in the changelog whatsoever. But, I'm not running any SSL/TSL service, so I can wait. I just don't have to generate SSL certificates using this version of OpenSSL. If I do, I just have to follow Gilles advice: take down the services, revoke the certificate, generate new ones.
Related videos on Youtube
03 : 24
18 : 20
06 : 00
11 : 46
03 : 56
Guillaume Vincent
Updated on September 18, 2022Comments
-
Guillaume Vincent over 1 year
I've followed the instruction to install unattended-upgrades to install automatic security updates on my server (ubuntu server 13.10).
https://help.ubuntu.com/community/AutomaticSecurityUpdates
Can you help me to understand why this morning I still have the heartbleed bug on my server ?
$ openssl version -a OpenSSL 1.0.1e 11 Feb 2013 built on: Wed Jan 8 20:58:47 UTC 2014 platform: debian-amd64other information:
$ cat /etc/apt/apt.conf.d/20auto-upgrades APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; $ cat /var/log/apt/history.log .... Start-Date: 2014-04-03 15:33:59 Commandline: apt-get install nginx Install: libxau6:amd64 (1.0.8-1, automatic), libx11-data:amd64 (1.6.1-1ubuntu1, automatic), libxcb1:amd64 (1.9.1-3ubuntu1, automatic), libvpx1:amd64 (1.2.0-2, automatic), libgd3:amd64 (2.1.0-2, automatic), libxdmcp6:amd64 (1.1.1-1, automatic), libxslt1.1:amd64 (1.1.28-2, automatic), nginx-common:amd64 (1.4.1-3ubuntu1.3, automatic), nginx:amd64 (1.4.1-3ubuntu1.3), nginx-full:amd64 (1.4.1-3ubuntu1.3, automatic), libx11-6:amd64 (1.6.1-1ubuntu1, automatic), libxpm4:amd64 (3.5.10-1, automatic) End-Date: 2014-04-03 15:34:02 Start-Date: 2014-04-04 10:26:38 Commandline: apt-get install unattended-upgrades Install: unattended-upgrades:amd64 (0.79.3ubuntu8) End-Date: 2014-04-04 10:26:40Thank you
-
Guillaume Vincent about 10 yearsI'm in trouble :(
built on: Wed Jan 8 20:58:47 UTC 2014 platform: debian-amd64 -
Edd Turtle about 10 yearsjust run
sudo apt-get update && sudo apt-get dist-upgradeand you should be up-to-date. -
Guillaume Vincent about 10 yearsThank you @EddTurtle, this is not my question ! My question is why automatic update does not works !
-
Guillaume Vincent about 10 yearsmy /etc/apt/apt.conf.d/10periodic wasn't good or maybe the cron didn't find any upgrade at 5am. Thank you @mathieu-comandon
-
Jos about 10 years@guillaumevincent I just noticed that unattended-upgrades was the very last package you installed - so it had to be a configuration issue.
-
MattC about 10 yearsdpkg -l openssl will show you if you have the correct version. For 12.04, if it says "1.0.1-4ubuntu5.12" you are on the fixed version. Note that you will still be vulnerable until you restart any web servers that depend on openssl to ensure they're using the patched version.
-
ColinM about 10 yearsNote: "apt-cache changelog" is not a valid command for me, but "aptitude changelog" is.
-
Braiam about 10 years@ColinM sorry, was apt-get, not apt-cache, clipboard problem.
-
pieroxy about 10 yearsAnything in the server memory for about two years may have been leaked, not just from the time of the announcement.
-
h3. about 10 years@pieroxy Anything that's been in the server's memory for a long time is highly likely to have been overwritten, to the point that you should also worry about many other attack vectors. The exception is if you are worried about adversary who might have known of the bug earlier and exploited it quietly — government-level adversaries might well have known, it's unlikely that ordinary crooks would have.
-
Guillaume Vincent about 10 years@jos yes sure but I don't know where. I've only run two commands following the official help ubuntu tutorial.
-
John Mee almost 10 yearsIs it true that the unattended upgrade didn't work for 13.04 (raring) because it was end-of-lifed a few days before heartbleed happened?
