This weekend, a very serious OpenSSL vulnerability was published, causing system administrators all over the world to scramble to their consoles in order to update their systems so that they are no longer vulnerable.
For those less well-versed in system administration (like myself!), here's how to patch your system against heartbleed:
- As root, run
apt-get update && apt-get dist-upgrade, ensure that libssl is among the list of packages updated
root@server:~# apt-get dist-upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: ... truncated... The following packages will be upgraded: ... libgnutls-openssl27 ... libssl1.0.0 ... openssl ... 105 upgraded, 20 newly installed, 0 to remove and 0 not upgraded. Need to get 151 MB of archives. After this operation, 218 MB of additional disk space will be used. Do you want to continue [Y/n]?
- After upgrading, ensure that
libssl1.0.0is of this version or greater:
- Ubuntu 13.10: 1.0.1e-3ubuntu1.2
- Ubuntu 12.10: 1.0.1c-3ubuntu2.7
- Ubuntu 12.04 LTS: 1.0.1-4ubuntu5.12
- You can check by running
apt-cache policy libssl1.0.0
You're not done yet!
After this, you have to ensure that any running services still using the old libssl library are purged.
The easiest way to do this is to just reboot your machine.
For advanced users, or those who would prefer not to restart, find all services still using the old ssl library by running
lsof -n | grep ssl. Look for any entries with
DEL. Purge them (reboot services, kill processes, etc) as necessary.
$ lsof -n | grep ssl