OpenSSL update

X

xy16644

I see there is a vulnerability in OpenSSL:

https://www.openssl.org/news/secadv_20140407.txt

I use the OpenSSL port rather than the built in FreeBSD version. I ran portmaster -a today and I see that an updated version of OpenSSL is available (version 1.0.1g).

Do I need to recompile all dependant ports if I update my OpenSSL port? Theres nothing mentioned in /usr/ports/UPDATING about doing this but I just wanted to make sure.

Thanks.
 
There is no need to recompile the dependant ports. Restarting the services which provide SSL/TLS by the way of OpenSSL would be good, though.
 
Every single port that uses OpenSSL uses so called dynamic linking to link the libraries into them and that means there's no need to recompile the dependent ports if the OpenSSL port is updated. Of course you have to restart any services that have the old copy of the library loaded in memory to make them use of the updated version of the dynamic link library.
 
kpa said:
Every single port that uses OpenSSL uses so called dynamic linking to link the libraries into them and that means there's no need to recompile the dependent ports if the OpenSSL port is updated.
Click to expand...
Not unless the version of the library changes, or more specifically its ABI. But nothing changes with this bug fix so nothing will have to be rebuild (except OpenSSL itself obviously).

There's more information about this bug here: http://heartbleed.com/

It's quite a bad one, definitely make sure your systems are updated.
 
I have a similar question, however I am not running OpenSSL from ports. What is the recommended course of action when running openssl from the base installation?

Also, is there a utility similar to "pkg audit" that'll show me vulnerabilities in the base system?

Thanks!
 
I just updated my OpenSSL port and when I run openssl version it still says:

Code: 
OpenSSL 1.0.1e-freebsd 11 Feb 2013

Am I running the patched version now?
 
xy16644 said:
I just updated my OpenSSL port and when I run openssl version it still says:

Code: 
OpenSSL 1.0.1e-freebsd 11 Feb 2013

Am I running the patched version now?
Click to expand...

You have to make sure you run the port version and not the base system version.

/usr/local/bin/openssl version
 
Thanks @kpa!

It is the latest version as of today:

Code: 
OpenSSL 1.0.1g 7 Apr 2014

I also restarted Postfix, Apache and Dovecot.

It OpenSSH affected at all by this vulnerability?
 
Last edited by a moderator:
xy16644 said:
Thanks @kpa!

It is the latest version as of today:

Code: 
OpenSSL 1.0.1g 7 Apr 2014

I also restarted Postfix, Apache and Dovecot.

It OpenSSH affected at all by this vulnerability?
Click to expand...

I'm inclined to say no since SSH doesn't use SSL/TLS, at least not in its default configuration.
 
Last edited by a moderator:
Perhaps it should be stressed that it's the implementation that was faulty in this case, the protocol itself isn't affected. In other words it was code specific to OpenSSL that had the bug.

I can't recall any specific ports from the top of my head but be careful if you have any statically built ports linked to the old OpenSSL libraries. You will have to rebuild those in order to upgrade the statically linked in libraries.
 
I'm not sure how good this check is but when I ran this it said I am not vulnerable:

http://rehmann.co/projects/heartbeat/

Code: 
Please be patient as the tests are run! (Up to 30 seconds!)
It appears that your SSL is running with heartbeat enabled, running further tests...

Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
 ... received message: type = 22, ver = 0302, length = 2817
 ... received message: type = 22, ver = 0302, length = 587
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection

No heartbeat response received, server likely not vulnerable
 
A great place to test if you are vulnerable from the Heartbleed attack is at SSL Labs:

https://www.ssllabs.com/ssltest

This is how my test result looked:
 

Attachments

  • HB.png
    HB.png
    3.2 KB · Views: 1,291
kpa said:
It turned out the base system OpenSSL is vulnerable in all supported versions of FreeBSD. A security advisory with the instructions how to update was just released:

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
Click to expand...

Are those instructions correct for FreeBSD 10.0-RELEASE-p1? Specifically the below.
3) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

IMPORTANT: the update procedure above does not update OpenSSL from the
Ports Collection or from a package, known as security/openssl, which
has to be updated separately via ports or package. Users who have
installed security/openssl should update to at least version 1.0.1_10.
Click to expand...


As it looks like there is no updates available.

Code: 
root@ip-172-31-6-227:~ # freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 5 mirrors found.
Fetching metadata signature for 10.0-RELEASE from update5.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 10.0-RELEASE-p1.
root@ip-172-31-6-227:~ # freebsd-update install
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
root@ip-172-31-6-227:~ # ssh -V
OpenSSH_6.4p1, OpenSSL 1.0.1e-freebsd 11 Feb 2013
root@ip-172-31-6-227:~ # uname -a
FreeBSD ip-172-31-6-227 10.0-RELEASE-p1 FreeBSD 10.0-RELEASE-p1 #0: Tue Apr  8 06:45:06 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
 
Silly me, should have checked the actual dates on SSL and the corrected section in the advisory "10.0-RELEASE-p1". I guess this already has the update.

Code: 
root@ip-172-31-6-227:/etc # openssl version -a
OpenSSL 1.0.1e-freebsd 11 Feb 2013
built on: date not available
platform: FreeBSD-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: cc
OPENSSLDIR: "/etc/ssl"

root@ip-172-31-6-227:/etc # ssh -V
OpenSSH_6.4p1, OpenSSL 1.0.1e-freebsd 11 Feb 2013
 
xy16644 said:
If I use OpenSSL from ports do I still need to apply this patch to OpenSSL in base?
Click to expand...
Better be safe than sorry. You may still have ports linked to the base OpenSSL.
 
SirDice said:
xy16644 said:
If I use OpenSSL from ports do I still need to apply this patch to OpenSSL in base?
Click to expand...
Better be safe than sorry. You may still have ports linked to the base OpenSSL.
Click to expand...

What if you have set /etc/make.conf:

Code: 
WITH_OPENSSL_PORT=yes

I do agree that you should apply the patch anyway but I'm just curious if you need this patch when your ports have been compiled to use the OpenSSL port rather.
 
xy16644 said:
...
What if you have set /etc/make.conf:
Code: 
WITH_OPENSSL_PORT=yes
Click to expand...

AFAIK, that flag is only effective if you put before that another one:

Code: 
USE_OPENSSL=yes

For the gory details, see /usr/ports/Mk/bsd.openssl.mk.

You may want to check, if all your ports are linked with OpenSSL from the ports. Submit one of the following commands as user root, and go for a coffee.

On FreeBSD 9:
find /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/local/lib -type f | xargs -n1 file -F ' ' | grep ELF | cut -f1 -d' ' | xargs ldd -f '%A %o\n' | grep "libssl.so.6\|libcrypto.so.6" | cut -f1 -d' ' | sort -u | xargs -n1 pkg_info -W | cut -f6 -d' ' | sort -u | tee ~/openssl_dependencies.txt

On FreeBSD 10:
find /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/local/lib -type f | xargs -n1 file -F ' ' | grep ELF | cut -f1 -d' ' | xargs ldd -f '%A %o\n' | grep "libssl.so.7\|libcrypto.so.7" | cut -f1 -d' ' | sort -u | xargs -n1 pkg_info -W | cut -f6 -d' ' | sort -u | tee ~/openssl_dependencies.txt

This command will output the OpenSSL dependencies, that are still linked against the base OpenSSL. It will also create a text file ~/openssl_dependencies.txt which can be feed into portmaster(8) for re-building the ports.

portmaster `cat ~/openssl_dependencies.txt`
rm ~/openssl_dependencies.txt

Note, that most of the ports anyway build against OpenSSL from the ports if this is present, regardless of any flags in /etc/make.conf.
 
OpenSSL 'Heartbleed' vulnerability

Is there a version upgrade for this OpenSSL vulnerability? I checked my version and I'm running v1.0.1-8 which is also showing it's up to date.


Code: 
[system: (tcsh):30] pkg_info | grep openssl
openssl-1.0.1_8     SSL and crypto library


[system: (tcsh):31] pkg_version | grep openssl
openssl                             =

[system: (tcsh):32] pkg_add -r openssl
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.2-release/Latest/openssl.tbz... Done.
pkg_add: package 'openssl-1.0.1_8' or its older version already installed




TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

NCCIC / US-CERT

National Cyber Awareness System:

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
<https://www.us-cert.gov/ncas/alerts/TA14-098A>
04/08/2014 08:46 AM EDT

Original release date: April 08, 2014


Systems Affected

* OpenSSL 1.0.1 through 1.0.1f
* OpenSSL 1.0.2-beta
 
obsigna said:
xy16644 said:
...
What if you have set /etc/make.conf:
Code: 
WITH_OPENSSL_PORT=yes
Click to expand...

AFAIK, that flag is only effective if you put before that another one:

Code: 
USE_OPENSSL=yes

For the gory details, see /usr/ports/Mk/bsd.openssl.mk.

You may want to check, if all your ports are linked with OpenSSL from the ports. Submit one of the following commands as user root, and go for a coffee.

On FreeBSD 9:
find /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/local/lib -type f | xargs -n1 file -F ' ' | grep ELF | cut -f1 -d' ' | xargs ldd -f '%A %o\n' | grep "libssl.so.6\|libcrypto.so.6" | cut -f1 -d' ' | sort -u | xargs -n1 pkg_info -W | cut -f6 -d' ' | sort -u | tee ~/openssl_dependencies.txt

On FreeBSD 10:
find /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/local/lib -type f | xargs -n1 file -F ' ' | grep ELF | cut -f1 -d' ' | xargs ldd -f '%A %o\n' | grep "libssl.so.7\|libcrypto.so.7" | cut -f1 -d' ' | sort -u | xargs -n1 pkg_info -W | cut -f6 -d' ' | sort -u | tee ~/openssl_dependencies.txt

This command will output the OpenSSL dependencies, that are still inked against the base OpenSSL. It will also create a text file ~/openssl_dependencies.txt which can be feeded into portmaster(8) for re-building the ports.

portmaster `cat ~/openssl_dependencies.txt`
rm ~/openssl_dependencies.txt

Note, that most of the ports anyway build against OpenSSL from the ports if this is present, regardless of any flags in /etc/make.conf.
Click to expand...



Thanks Obsigna. This fix/patch worked like a charm.
 
You must log in or register to reply here.
Back
Top