opensuse 12.2 and ssh heartbleed.

Good morning,
are there any openssl’s updates for opensuse 12.2 too ? At least 1.0.1g I think :slight_smile:
Thanks and best regards
J.Karliak.

No. 12.2 is out of support since January already. There are no updates any more, better upgrade to a supported version (12.3 or 13.1).

See also: Lifetime - openSUSE Wiki

That said, the fixed 12.3 package is available for 12.2 here: Install package home:bmwiedemann:branches:openSUSE:12.3:Update / openssl

Ohh,
not ssh but ssl - my mistake in the Title.
Anyway - by the test “echo HEAD / | openssl s_client -connect server:443 -tlsextdebug 2>&1 | grep -i ‘TLS server extension “heartbeat”’” displays enabled:
TLS server extension “heartbeat” (id=15), len=1

rpm -qa:
openssl-1.0.1e-1.46.2.x86_64

I planned to distroupdate the server, but not right now. It is a quite important server, management must agree with server mainenance :-/
Any reccomendations for now ? How to disable heartbeat in ssl ? Or so ?

Thanks and best regards

J.Karliak.

Hello,
Please use CODE tags around your copied/pasted computer text, to make it readable for others.
To get the tags, click on the # button in the tool bar of the post editor.

Hi,
sorry. Here it is.


echo HEAD / | openssl s_client -connect server:443 -tlsextdebug 2>&1 | grep -i 'TLS server extension "heartbeat"'


TLS server extension "heartbeat" (id=15), len=1

No idea.

You asked for an openssl update for 12.2, and the packages I linked to contain the fix for that heartbeat issue as released for 12.3 and 13.1:

rpm -qp --changelog http://download.opensuse.org/repositories/home:/bmwiedemann:/branches:/openSUSE:/12.3:/Update/openSUSE_12.2/x86_64/libopenssl1_0_0-1.0.1e-1.46.2.x86_64.rpm | head
warning: http://download.opensuse.org/repositories/home:/bmwiedemann:/branches:/openSUSE:/12.3:/Update/openSUSE_12.2/x86_64/libopenssl1_0_0-1.0.1e-1.46.2.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b49c2121: NOKEY
* Tue Apr 08 2014 shchang@suse.com
- Fixed bug bnc#872299] CVE-2014-0160: openssl: missing bounds checks for heartbeat messages
  Add file: CVE-2014-0160.patch


Btw, I hope you updated all the openssl packages to the versions from that repo, libopenssl1_0_0 in particular.
The “openssh” package alone is NOT sufficient.

Hi,
thanks for answer. Yes, I did:
rpm -qa | grep ssl
libopenssl-devel-1.0.1e-1.46.2.x86_64
openssl-1.0.1e-1.46.2.x86_64
libopenssl1_0_0-1.0.1e-1.46.2.x86_64
libopenssl1_0_0-32bit-1.0.1e-1.46.2.x86_64

zypper lr openssl::heartbleed
Alias : openssl::heartbleed
Name : openssl::heartbleed
URI : http://download.opensuse.org/repositories/home:bmwiedemann:branches:openSUSE:12.3:Update/openSUSE_12.2
Enabled : Yes
Priority : 99
Auto-refresh : Off
Keep Packages : Off
Type : rpm-md
GPG Check : On
GPG Key URI :
Path Prefix :
Parent Service :
MD Cache Path : /var/cache/zypp/raw/openssl::heartbleed

Still no progress. Or the test command is not right ? How do you test it ?
Thanks
J.K.

Please use CODE tags around the copied/pasted computer text. It is the # button in the tool bar of the post editor.

As I said, I have no idea.

Those packages are the same as have been released as security updates for 12.3 and 13.1.

But I think you misunderstand something here: they don’t disable the heartbeat extension, they fix the vulnerability (CVE-2014-0160).

@karlios.

My idea is that you misunderstand the background of the answers you get. You are given advice on how it “could be” possible for you to patch for the vulnarability by using the 12.3/13.1 patches.
You must understand however that people here moved to 12.3 and/or 13.1 before 12.2 went out of support. Thus they are not able to try and or test anything on 12.2. You are on your own there.

And when your management does not understand how important it is to stay up to date with the software to be able to react on security vulnarabilities in due time, there is something wrong there imho.

On 04/09/2014 03:06 AM, karlijos wrote:
>
> Hi,
> thanks for answer. Yes, I did:
> rpm -qa | grep ssl
> libopenssl-devel-1.0.1e-1.46.2.x86_64
> openssl-1.0.1e-1.46.2.x86_64
> libopenssl1_0_0-1.0.1e-1.46.2.x86_64
> libopenssl1_0_0-32bit-1.0.1e-1.46.2.x86_64
>
> zypper lr openssl::heartbleed
> Alias : openssl::heartbleed
>
> Name : openssl::heartbleed
>
> URI : http://tinyurl.com/kml3z26
> Enabled : Yes
>
> Priority : 99
>
> Auto-refresh : Off
>
> Keep Packages : Off
>
> Type : rpm-md
>
> GPG Check : On
>
> GPG Key URI :
>
> Path Prefix :
>
> Parent Service :
>
> MD Cache Path : /var/cache/zypp/raw/openssl::heartbleed
>
> Still no progress. Or the test command is not right ? How do you test it
> ?

Valid tests that actually attempt to exploit the vulnerability rather than
simply look for the presence of TLS heartbeat functionality are available
online; Google for them and use them as desired. In the meantime, most of
the really simple tests (like yours looking for supported headers during
the very first part of the TLS handshake from the server) merely tell you
whether or not the server supports TLS Heartbeat, whether in patched or
unpatched form. As a result, your test is invalid and likely to throw
false positives (indicating problems when there are not).

If your openssl build is from 2014-04-07 or later you’re almost certainly
fixed. To prove otherwise, exploit the issue and retrieve sensitive data,
then report back.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

On 04/09/2014 06:16 AM, hcvv pecked at the keyboard and wrote:
> @karlios.
>
> My idea is that you misunderstand the background of the answers you get.
> You are given advice on how it “could be” possible for you to patch for
> the vulnarability by using the 12.3/13.1 patches.
> You must understand however that people here moved to 12.3 and/or 13.1
> before 12.2 went out of support. Thus they are not able to try and or
> test anything on 12.2. You are on your own there.
>
> And when your management does not understand how important it is to stay
> up to date with the software to be able to react on security
> vulnarabilities in due time, there is something wrong there imho.
>
>

And if the server is that important it really should be using SLES
instead when provides long term support.

Ken

Oh yes. In fact I hoped that my hint would initiate some thinking on their part and I am with you hoping that that thinking should lead to the conclusion that SLES is probably a much better solution.

There are some caveats here though;
SLES is expensive. Really, really expensive over the span of 5 years for a single server even with the lowest level of support. If you use it in a virtualized environment, then you’re double screwed because the price goes through the roof - it actually becomes cheaper to have a person on site maintaining the “open” versions than it does to license them from SUSE.

Second problem is that many of the packages included in SLES are hideously out of date. If you want to upgrade the ancient tools that come with it you’re left with an unsupported OS and you’re back to square one.

In all cases “maintaining it” is the keyword.

I’m confused. The patches that people are being directed at, and the ones that seem most current in yast2, are openssl 1.0.1e. However, this is a vulnerable version of openssl - don’t we need 1.0.1g?

Why bother? You have many more security problems than heartbleed if you’re still running 12.2 on your server. That’s extremely irresponsible. Well good luck…

No. An upgrade to 1.0.1g would bring many unrelated changes, which very few Linux distributions would be willing to release as an update. Instead, they’ll add a patch to the previous version just to fix the vulnerability.

Check out Show openSUSE:12.3:Update / openssl - openSUSE Build Service to see how it works; notice openSUSE has several patches on top of the upstream 1.0.1e release, including CVE-2014-0160.patch which fixes heartbleed.

According to what I read on the openSSL project site,

Source which includes the patch is available, and more or less in implemented as described in the previous post in this thread.
When compiled properly, the new version should <not> read 1.0.1x, a new minor version will result “1.0.2”

I haven’t been able to verify that anyone has built a working patched package although the previous posts suggests it might exist.
In any case, am hoping that an official patched package is released much sooner than later. As I’m writing this, I see at http://software.opensuse.org that there are a number of private builds of a “1.0.1g” which I assume are patched versions(can’t know for sure) because the current stable release is 1.0.1e and at the openssl project site they say their last official release is 1.0.1f.

TSU

If you really, really want to you can grab the 12.3 source rpm, adjust the version number to be higher than included with 12.2 and build it against 12.2 and it will build cleanly. Then install those RPMs on 12.2.

However that is a bad idea and anyone still running 12.2 should update to 12.3, at least. 13.1 comes with some upgrade caveats like MariaDB/MySQL and Apache 2.4.x which require minor configuration modifications.

Edit:
Also, the patched 12.3/13.1 will not be f or g versions but instead backported e. For example on a 13.1 system the package version is openssl-1.0.1e-11.32.1

Interesting.
So, I just tested on my systems… although I ordinarily just run “zypper up” with the expectation that an update should provide superior protection and implement <all> recent improvements, in this case <it will not capture the heartbleed patch>.

After running “zypper up” I have just run “zypper patch” and <only then> am I getting the patched openssl package.

So, this is how people should update their systems to get the heartbleed patch…

TSU