I spent a few hours last night patching OpenSSL on my servers for this site, WatchMeCode, etc. It was a pain. The worst part about it, though, was not recompiling things and actually getting the servers patched. The worst part was all the confusion about version numbers.
If you haven’t heard of it yet, you need to get yourself over to HeartBleed.com right now. Basically, if you’re using OpenSSL (and who isn’t?) then your servers are vulnerable to attack and having your SSL keys stolen. You need to fix this ASAP by updating your OpenSSL version, recompiling anything that is built against OpenSSL and re-issuing your SSL certificates with keys.
Yeah, it’s a pain. But it’s necessary.
The Version Problem
The real problem I ran in to last night was version numbers, like I said.
When you look around the internet, you’ll see that everyone says to update OpenSSL to version 1.0.1g – note the “g” – this is the important bit. Everyone says that if you have anything below this letter, then you’re vulnerable. Of course my servers were vulnerable at v1.0.1c.
I’m running Ubuntu for both DerickBailey.com and WatchMeCode.net and when I updated my OpenSSL build, I didn’t get v1.0.1g installed. I ended up with v1.0.1e – and a full on panic attack following that. How am I supposed to get v1.0.1g when apt-get only gives me v1.0.1e?!
The Real Version Number
It turns out Ubuntu didn’t update the letter at the end of the version number, when they applied the patch for v1.0.1… or something like that. I’m still not 100% clear on this. But here’s what I do know:
If you are on Ubuntu and you follow all the right steps to update OpenSSL, you will end up with v1.0.1e – and that’s ok.
The thing that you need to check is the LibSSL version, which can be done like this:
The output I get on my servers is:
The important thing to note, here, is the “Version” number at line 8: 1.0.1e-3ubuntu1.2
Get this version # on your Ubuntu servers, and you’re good to go.
Check The Patch
As Dan Tao points out in the comments below, this is a frustrating situation trying to figure out if you are safe or not. In the case of Heartbleed, there are tools the check the actual vulnerability and not just the version number checks, hoping you have the right version number. I used http://filippo.io/Heartbleed/ to check my servers and got back green reports saying I’m good to go, after doing the updates.