andrew wulf's picture

My server is clearly affected by the heartbleed bug (basic LAMP appliance) but I see no security changes at all. How do I fix this since the fixes are the responsibility of Turnkey? I checked the logs and even rebooted the server but I am still shown as vulnerable. There isn't much here anyone would want to steal but how can I trust the security of the appliance if the single biggest issue in the history of Linux seems to have no fixes?

Forum: 
Jeremy Davis's picture

And after running the security updates i.e. cron-apt - which auto installs security updates every 24 hours - it was secure as per this test site. The only thing that I could imagine is that perhaps Apache needs to be restarted, but rebooting would take care of that...

Can you check what version of OpenSSL you have installed:

apt-get update && apt-cache policy openssl

(And copy paste the result here).

andrew wulf's picture

Appears the appliance I have is Lamp, TurnKey Linux 11.3 / Ubuntu 10.04 Lucid LTS which runs openssl 

  Installed: 0.9.8k-7ubuntu8.15

which isn't supposed to be vulnerable. I wonder why the heartbleed test page says I am leaking 20K of data?

BTW I tried to paste the entire result of that command and the forum rejected the post as spam :-)

Jeremy Davis's picture

TBH I'm not sure what is going on with that. I tested the v12.1 LAMP release as well and (until security updates are applied - using cron-apt - the script that runs nightly) it also reports as vulnerable. Once the updates are done though it reports as ok.

FWIW whilst technically v11.1 should still be ok to use (it's based on Ubuntu 10.04 which should still get another year of security updates) it is not supported by TurnKey Linux. V12.1 is considered legacy, but support for that ends this month anyway...

andrew wulf's picture

do I upgrade the appliance to the latest? I assume I could reimport things on a new server, is there any other way?

Jeremy Davis's picture

Did you try

apt-cache policy openssl

? - It should return something like this:

openssl:
  Installed: 1.0.1e-2+deb7u7
  Candidate: 1.0.1e-2+deb7u7
  Version table:
 *** 1.0.1e-2+deb7u7 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1e-2+deb7u4 0
        500 http://cdn.debian.net/debian/ wheezy/main amd64 Packages

Note that Heartbleed was patched in 'openssl 1.0.1e-2+deb7u5' (see DSA-2896 and/or CVE-2014-0160).

As discussed over on the announcement (specifically here) that if you use the -a switch when checking the version of OpenSSL:

openssl version -a

It should display (in part) something like this:

OpenSSL 1.0.1e 11 Feb 2013
built on: Thu Apr 17 21:51:33 UTC 2014
....

Add new comment