Hearthbleed (Raspberry Pi)

The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive). Later versions (1.0.1g and ulterior[60]) and previous versions (1.0.0 branch and older) are not vulnerable. Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.

http://en.wikipedia.org/wiki/Heartbleed#Affected_OpenSSL_installations

Check openssl version:

$> openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Sun Mar 24 12:44:00 UTC 2013

That’s bad, update needed!

$> sudo apt-get update
$> sudo apt-get install -y libssl1.0.0 openssl

Check version again:

$> openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Sun Apr 20 11:41:41 UTC 2014

Version is still one of the affected versions, but build-date indicates a patch.

According to http://www.raspberrypi.org/forums/viewtopic.php?t=74133 debian backported a patch to 1.0.1e-2+rvt+deb7u5

$> sudo apt-cache show openssl
Package: openssl
Version: 1.0.1e-2+rvt+deb7u7

We are good, just reboot now:

$> sudo reboot

Oh, also replace any and all certificates and make all users replace their passwords, you know the drill.

Skriv et svar

This site uses Akismet to reduce spam. Learn how your comment data is processed.