Hearthbleed (Raspberry Pi)

The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive). Later versions (1.0.1g and ulterior[60]) and previous versions (1.0.0 branch and older) are not vulnerable. Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.

http://en.wikipedia.org/wiki/Heartbleed#Affected_OpenSSL_installations

Check openssl version:

$> openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Sun Mar 24 12:44:00 UTC 2013

That’s bad, update needed!

$> sudo apt-get update
$> sudo apt-get install -y libssl1.0.0 openssl

Check version again:

$> openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Sun Apr 20 11:41:41 UTC 2014

Version is still one of the affected versions, but build-date indicates a patch.

According to http://www.raspberrypi.org/forums/viewtopic.php?t=74133 debian backported a patch to 1.0.1e-2+rvt+deb7u5

$> sudo apt-cache show openssl
Package: openssl
Version: 1.0.1e-2+rvt+deb7u7

We are good, just reboot now:

$> sudo reboot

Oh, also replace any and all certificates and make all users replace their passwords, you know the drill.

Linux services add/remove

Beaglebone:

add the service to autostart:
update-rc.d <servicename> defaults

remove the service:
update-rc.d -f <servicename> remove

 

Raspberry Pi:

as beaglebone, but with sudo in front of the rest, like:

add the service to autostart:
sudo update-rc.d <servicename> defaults

remove the service:
sudo update-rc.d -f <servicename> remove

-max