OpenSSL remains vulnerable after update to 14.04 [duplicate]
We have an AWS server running OpenVPN which was built using Ubuntu 13.10. After the announcement of the Heartbleed vulnerability, we updated the server. This morning, we upgraded the server to 14.04. The current output of "openssl version -a" is:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Apr 7 21:22:23 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl"
I verified the fact that the server is still vulnerable using the following:
:~$ openssl s_client -connect openvpn.example.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe
TLS server extension "heartbeat" (id=15), len=1
Attempts to run "sudo apt-get install openssl" return that the current version is already installed. What are the best options to resolve this issue? Does it appear there was a problem during distribution upgrade; i.e. is the 14.04 OpenSSL package actually outside the danger range? Or is there a possible issue with the repository itself?
As @david6 pointed out, the version of OpenSSL might still appear to be a vulnerable version. This is because Ubuntu, as many other distros, backports security fixes rather than updating to a whole newer version of the software (and possibly picking up new features and their attendant bugs along the way). So, just because you're running a "vulnerable version" of OpenSSL doesn't mean you're running a vulnerable version of OpenSSL.
However, if the available Heartbleed audits indicate you're still vulnerable, you're still vulnerable.
What I think is going on is that you've updated the package, but you haven't restarted the services that use OpenSSL, so they are still holding on to the older version that they loaded at startup.
There are two easy ways to fix that:
Reboot the server.
-
Identify and restart the affected services. An easy way to do this is with, checkrestart from the
debian-goodies
package. It should identify the affected services and even tell you what init scripts will restart them:$ sudo apt-get install debian-goodies $ sudo checkrestart