OpenSSL remains vulnerable after update to 14.04 [duplicate]

openssl openvpn

We have an AWS server running OpenVPN which was built using Ubuntu 13.10. After the announcement of the Heartbleed vulnerability, we updated the server. This morning, we upgraded the server to 14.04. The current output of "openssl version -a" is:

OpenSSL 1.0.1f 6 Jan 2014 
built on: Mon Apr  7 21:22:23 UTC 2014 
platform: debian-amd64 
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)  
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl"

I verified the fact that the server is still vulnerable using the following:

:~$ openssl s_client -connect openvpn.example.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe
TLS server extension "heartbeat" (id=15), len=1

Attempts to run "sudo apt-get install openssl" return that the current version is already installed. What are the best options to resolve this issue? Does it appear there was a problem during distribution upgrade; i.e. is the 14.04 OpenSSL package actually outside the danger range? Or is there a possible issue with the repository itself?


As @david6 pointed out, the version of OpenSSL might still appear to be a vulnerable version. This is because Ubuntu, as many other distros, backports security fixes rather than updating to a whole newer version of the software (and possibly picking up new features and their attendant bugs along the way). So, just because you're running a "vulnerable version" of OpenSSL doesn't mean you're running a vulnerable version of OpenSSL.

However, if the available Heartbleed audits indicate you're still vulnerable, you're still vulnerable.

What I think is going on is that you've updated the package, but you haven't restarted the services that use OpenSSL, so they are still holding on to the older version that they loaded at startup.

There are two easy ways to fix that:

  1. Reboot the server.

  2. Identify and restart the affected services. An easy way to do this is with, checkrestart from the debian-goodies package. It should identify the affected services and even tell you what init scripts will restart them:

    $ sudo apt-get install debian-goodies
$ sudo checkrestart

Related

Intel wireless not working at all
How to install Canon PIXMA iP1600? [duplicate]
LVM & LUKS manual partitioned but issues with loader/init/grub
13.10 Laptop goes to sleep instead of shutting down when lid is closed
the sound-volume indicator disappeard Ubuntu 13.10
Change Mac Address permanently inside /etc/network/interfaces
Having trouble turning mbpfan into a system service
Ethernet Network card BCM4401-B0 no longer recognised?
why does files (nautilus) open a new window although there's one already open?
HDMI stops working when DisplayPort is unplugged
What's the correct driver to use with a GeForce 6150SE nforce 430 on Ubuntu and Ubuntu flavours?
No startup sound in ubuntu 11.10