Installing Heartbleed patch

English Forums Feedback
#1

Although I also just posted in the heartbleed thread in the Applications forum, I think this important enough to re-post here.

If you’re in the habit of running “zypper up” you <will not> patch your openssl if you already have openssl v1.0.1e installed (and if you regularly run zypper up this would be the case).

You must also
run the following to capture the heartbeat patch

zypper patch

The only time “zypper patch” might be avoided is if you’re installing openssl when it didn’t exist before or you haven’t updated your system for months.

TSU

#2

I did simply YaST > Software > Online Update (also known as YaST Online Update or YOU) as I do reglary and it installed the patch. This is the same as zypper patch.

But IMHO zypper up includes zypper patch. The problem is that I never use zypper up, thus I can not prove that zypper up does install this particular path. And you did alread zypper patch, thus unless you deinstall it, you can not repeat it to prove what you say.

#3

I already had the latest version installed, simply got an update. It could be forced from the spec. file IIRC.

#4

Is repeatable.

As I described, if you already have openssl v 1.0.1e installed (current stable), it won’t update to with the patch with simply “zypper up”
Requires “zypper patch”

If you don’t have v 1.0.1e installed, then you’d be “newly installing 1.0.1e” which would mean you’d get the patch.

Is easy to verify.
No matter what method you normally use to update your system, after it runs run “zypper patch” and see if openssl v 1.0.1e is offered again.

TSU

#5

Considering I never do zypper patch and only zypper up

rpm -qa openssl
openssl-1.0.1e-11.32.1.x86_64
kernelcruncher@kernelcruncher:~> rpm -qi openssl
Name        : openssl
Version     : 1.0.1e
Release     : 11.32.1
Architecture: x86_64
Install Date: Wed 09 Apr 2014 04:31:56 BST
Group       : Productivity/Networking/Security
Size        : 1310122
License     : OpenSSL
Signature   : RSA/SHA256, Tue 08 Apr 2014 11:05:25 BST, Key ID b88b2fd43dbdc284
Source RPM  : openssl-1.0.1e-11.32.1.src.rpm
Build Date  : Tue 08 Apr 2014 08:21:55 BST
Build Host  : build08
Relocations : (not relocatable)
Packager    : http://bugs.opensuse.org
Vendor      : openSUSE
URL         : http://www.openssl.org/
Summary     : Secure Sockets and Transport Layer Security
#6

Same here. (I only ever run zypper up.)

#7

Same here.

And this is of course how “zypper up” is designed to work.

IMHO, if you don’t get the fixed “libopenssl1_0_0” package with “zypper up”, you either don’t have the update repo in your repo list (but then you would not get it with “zypper patch” either of course), or you installed it from a different repo than the standard OSS one. (“vendor stickiness”)

I doubt that anybody here did install the package newly.
It is required by so many other packages (directly or indirectly), that you wouldn’t be able to boot your system without it.
Just try to uninstall it as a test, zypper says this on my system: (I omitted the list of packages that are going to be removed, because it was too long, but I guess you should see the point)

# zypper rm libopenssl1_0_0
Loading repository data
Reading installed packages...
Resolving package dependencies...

The following 4 NEW packages are going to be installed:
  emacs-nox gcc-gij gcc48-gij java-1_5_0-gcj-compat 

The following 2770 packages are going to be REMOVED:
...
The following package is going to be downgraded:
  libtotem-plparser-mini18 

1 package to downgrade, 4 new, 2770 to remove.
Overall download size: 1.8 MiB. After the operation, 8.6 GiB will be freed.
Continue? [y/n/p/? shows all options] (y):
#8

Exactly the same here except my openssl Install Date was 08 Apr. This is on Tumbleweed where “zypper dup” takes care of all updates including patches.

Just ran “zypper patch”: Nothing to do.

#9

How so? If it’s already installed, as for most users, openssl would have been updated several times from Oss Updates repo (see below from/var/log/zypp/history). Therefore I don’t get your scenario.

Version 1.0.1e goes back to 12.3 at least, where actually I see it in my Tumbleweed’s zypp log:

2013-09-21 16:24:18|install|openssl|1.0.1e-1.1.1|x86_64||openSUSE-12.3-1.7|4a9ea9efc93c42e6667550385313d887ed2d35b0efc40567b851d9ad4ec3de8e|

Tumbleweed rolled on through to a rebase on 13.1 where openssl is installed from the standard Oss repo:

2013-11-20 13:41:07|install|openssl|1.0.1e-11.2.1|x86_64||openSUSE Current OSS|858b567d77246065cc499cd6a43f22cee7cfa475f6e2a354ca2d7235981d3a6d|

Several openssl updates later this is the fourth:

2014-02-12 17:06:37|install|openssl|1.0.1e-11.24.1|x86_64||openSUSE Current OSS updates|81ae928f73029b8f00f2c790d8a2f3a35b2e63302de0cf8317dcf76f15af243e|

Followed by the latest update (assuming patch included):

2014-04-08 16:02:33|install|openssl|1.0.1e-11.32.1|x86_64||openSUSE Current OSS updates|d51c904b72551604c57448525622b1325a24b5f194e2f5c97fe93dc0933d704b|

If you don’t have v 1.0.1e installed, then you’d be “newly installing 1.0.1e” which would mean you’d get the patch.

Is easy to verify.

Probably, but again that is an unlikely scenario if 13.1 is installed. So how did you reproduce and verify?

#10

On Thu, 10 Apr 2014 19:06:01 +0000, tsu2 wrote:

> Although I also just posted in the heartbleed thread in the Applications
> forum, I think this important enough to re-post here.
>
> If you’re in the habit of running “zypper up” you <will not> patch your
> openssl if you already have openssl v1.0.1e installed (and if you
> regularly run zypper up this would be the case).
>
> You must also run the following to capture the heartbeat patch
>
> Code:
> --------------------
> zypper patch
> --------------------
>
>
> The only time “zypper patch” might be avoided is if you’re installing
> openssl when it didn’t exist before or you haven’t updated your system
> for months.
>
> TSU

One thing I noticed when updating my systems was that on one where I had
the openssl debuginfo installed, the patch wasn’t installed using zypper
up. I had to specifically run “zypper patch” and then force it to remove
the debuginfo patch for the patch to be installed.

If you run “zypper pch” and search for “Needed” patches, that’ll tell you
if you have anything that wasn’t applied by “zypper up” due to a conflict
of some sort.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

#11

You need to enable the “Update-debug” repo, too.

debuginfo packages require the exact same package version/revision, so you effectively block updates by not enabling that repo, which contains debuginfo packages for the updates.

#12

On Sun, 13 Apr 2014 17:46:02 +0000, wolfi323 wrote:

> hendersj;2636591 Wrote:
>> One thing I noticed when updating my systems was that on one where I
>> had the openssl debuginfo installed, the patch wasn’t installed using
>> zypper up. I had to specifically run “zypper patch” and then force it
>> to remove the debuginfo patch for the patch to be installed.
>>
>> If you run “zypper pch” and search for “Needed” patches, that’ll tell
>> you if you have anything that wasn’t applied by “zypper up” due to a
>> conflict of some sort.
>>
> You need to enable the “Update-debug” repo, too.
>
> debuginfo packages require the exact same package version/revision, so
> you effectively block updates by not enabling that repo, which contains
> debuginfo packages for the updates.

That would do it - not sure how I missed that, but thanks for the
pointer. :slight_smile:

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

#13

One can also check the change log:


oldcpu@4770:~> rpm -qi openssl --changelog | grep -A3 'Tue Apr 08'
* Tue Apr 08 2014 shchang@suse.com
- Fixed bug bnc#872299] CVE-2014-0160: openssl: missing bounds checks for heartbeat messages
  Add file: CVE-2014-0160.patch
#14

I don’t have the “update-debug” repo installed, just the normal update repos…

For my machines which were affected (3 machines),
Had been running “zypper up” at least weekly on a regular basis, so had already installed “some version” of openssl 1.0.1e (all had been updated approx. Thurs before the weekend news was widely publicized which was also well before the patch was integrated).
After the news, I closely watched the results of “zypper up” all the way until Wednesday, every attempt to “zypper up” did <not> include an openssl patch.
On Wednesday, well after the patch was supposedly integrated, I ran “zypper patch” and finally the openssl package was re-listed for download/install (along with a number of other patches).
Did the same on the other 2 machines.

So, I’m pretty sure at least in my eyes that <something> existed which prevented patches from being installed using “zypper up” (could it be that the “update-debug” repo is required? - I usually don’t associate any debug repo with ordinary maintenance, only for providing troubleshooting support).

TSU

#15

No, it is not “required” per se.

But if you install debuginfo packages from the debug repo, you should enable the update-debug repo as well. Otherwise you won’t get updates for those packages you installed the debuginfo packages for, as they require the exact version.

So, always enable the “update-debug” repo as well, if you enable the “debug” repo.

Or, to put it differently:
If you install openssl-debuginfo-1.0.1e-11.2.1 from the debug repo, it requires openssl-1.0.1e-11.2.1. So “zypper up” cannot update openssl to the latest version 1.0.1e-11.32.1 from the update repo, because that would cause a conflict.
Enabling the “update-debug” repo as well would make openssl-debuginfo-1.0.1e-11.32.1 available, so “zypper up” can (and will) update both without any dependency conflict.

#16

My repos on one machine, you can see that for <both> repo-debug and repo-debug-update, they both are configured to be refreshed but are disabled.

# zypper lr
#  | Alias                              | Name                               | Enabled | Refresh
---+------------------------------------+------------------------------------+---------+--------
 1 | Packman Repository                 | Packman Repository                 | Yes     | Yes    
 2 | devel:languages:ruby:extensions    | devel:languages:ruby:extensions    | Yes     | No     
 3 | download.opensuse.org-13.1-non-oss | Update Repository (Non-Oss)        | Yes     | Yes    
 4 | download.opensuse.org-non-oss      | Main Repository (NON-OSS)          | Yes     | Yes    
 5 | download.opensuse.org-oss          | Main Repository (OSS)              | Yes     | Yes    
 6 | download.opensuse.org-update       | Main Update Repository             | Yes     | Yes    
 7 | libdvdcss repository               | libdvdcss repository               | Yes     | Yes    
 8 | openSUSE-13.1-1.10                 | openSUSE-13.1-1.10                 | Yes     | No     
 9 | openSUSE_13.1:Python_repo          | openSUSE_13.1:Python_repo          | Yes     | No     
10 | repo-debug                         | openSUSE-13.1-Debug                | No      | Yes    
11 | repo-debug-update                  | openSUSE-13.1-Update-Debug         | No      | Yes    
12 | repo-debug-update-non-oss          | openSUSE-13.1-Update-Debug-Non-Oss | No      | Yes    
13 | repo-source                        | openSUSE-13.1-Source               | No      | Yes

Don’t worry about repos
2 - No current use for Ruby Dev support on this machine
8 - That’s the DVD (of course disabled)
9 - No current use for Python Dev support on this machine

#17

Well, but the real question would rather be whether you had any openssl debuginfo package installed
If yes, this would have blocked the update as you didn’t have repo-debug-update enabled (as explained before).

If no, then your problem must have been caused by something else.
But I have no idea then by what, as I am no clairvoyant.
And as I already said, “zypper up” installed the openssl/libopenssl1_0_0 updates just fine here as it is supposed to do.