Why unattended-upgrades does not fix heartbleed bug?

Solution 1:

You do not have the Heartbleed vulnerability on your server, OpenSSL has been patched to fix this issue (without upgrading it).

You have left out several important lines in the OpenSSL version output, that's how you know it's been patched, not with the version number:

openssl version -a                                                                ✭
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr  7 20:33:19 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

The 'build on' line is what matters here, Apr. 7 or after: you're good. Otherwise: you're in trouble.

Update, since the build date doesn't seem to be good:

Maybe the unattended upgrade hasn't run yet, on my server the scripts in cron.daily are configured to run at 6:25

25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

Also, check the contents of /etc/apt/apt.conf.d/10periodic and check that security updates are installed:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Source: https://help.ubuntu.com/lts/serverguide/automatic-updates.html

Solution 2:

First, you need to perform the upgrade. Unattended-upgrades only runs once a day, and it's been less than 1 day since the fix came out (2014-04-07 around 20:00 GMT). For saucy, make sure that you've upgraded to libssl1.0.0 version 1.0.1e-3ubuntu1.2 or greater. (In precise, the fix came in version 1.0.1-4ubuntu5.12.)

Next, note that this is a very bad vulnerability: it may have allowed attackers to obtain confidential data by connecting to your vulnerable server. If you're running an SSL server, then any data that was in the server's memory since a little before the vulnerability was announced may have been leaked. This includes, in particular, the server's SSL private key, so you should generate a new one and revoke the old one.

For more information, see How to patch the Heartbleed bug (CVE-2014-0160) in OpenSSL?

Solution 3:

You can't trust in internal version strings. The version says 1.0.1e and the bug affects from 1.0.0 through 1.0.0f. Is this enough to determine if you have still a vulnerable version of openssl? No. OpenSSL internal version doesn't change, even trough some updates are applied. The only way to reliably identify your version is looking to the package manager version using apt-cache policy or other tool:

➜  ~  apt-cache policy openssl
openssl:
  Installed: 1.0.1f-1
  Candidate: 1.0.1f-1
  Version table:
 *** 1.0.1f-1 0
        500 http://http.debian.net/debian/ testing/main i386 Packages
        100 /var/lib/dpkg/status
➜  ~  dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  openssl        1.0.1f-1     i386         Secure Sockets Layer toolkit - cr
➜  ~  

As you can see, my version of openssl is superior, through appears to be affected, since it's 1.0.1f, now if I check the changelogs:

➜  ~ apt-get changelog openssl
openssl (1.0.1f-1) unstable; urgency=high

  * New upstream version
    - Fix for TLS record tampering bug CVE-2013-4353
    - Drop the snapshot patch
  * update watch file to check for upstream signature and add upstream pgp key.
  * Drop conflicts against openssh since we now on a released version again.

 -- Kurt Roeckx <[email protected]>  Mon, 06 Jan 2014 18:50:54 +0100

Yeah, I'm still affected. There's no reference to the CVE-2014-0160 in the changelog whatsoever. But, I'm not running any SSL/TSL service, so I can wait. I just don't have to generate SSL certificates using this version of OpenSSL. If I do, I just have to follow Gilles advice: take down the services, revoke the certificate, generate new ones.