The Heartbleed bug (more properly known as CVE-2014-0160) is very troubling. In one day, much faith in internet security was shaken. While there is nothing that can be done to fix the last two years that the bug has been in the wild, patching servers ASAP and getting newly generated SSL certs can ensure that the sites we control no longer add to the problem.
You can verify that your site is compromised by using this tool. Once following the instructions here, you can use the tool to verify that the fix is successful.
Ubuntu’s official security notice to heartbleed can be found here. The notice provides the version number of the patched openssl version. To ensure that Ubuntu is patched against the issue, the
libssl1.0.0 package is the OpenSSL library that should be installed. The patched version depends on the version of Ubuntu:
Note that only supported versions received the update. 10.04 isn’t listed because it’s version of OpenSSL predates the bug. The absence of 13.04 in the list seems a bit odd, but it reached end of life support on January 27, 2014. You can see a list of Ubuntu’s versions and their support terms here.
If your version isn’t listed above, you need to upgrade to one of the supported versions ASAP. I don’t recommend upgrading to 12.10, as it reached end of life at the end of this month (given that some of my servers are running this version, I know what I’m going to be working on). You should either run a current LTS version (such as 12.04) or stay on the current version (currently 13.10).
Patching this bug in Ubuntu is quite easy:
[gaarai@linode ~]$ sudo apt-get update Ign http://us.archive.ubuntu.com quantal InRelease Get:1 http://ftp.osuosl.org precise InRelease [2,506 B] ... Ign http://us.archive.ubuntu.com quantal-backports/restricted Translation-en_US Ign http://us.archive.ubuntu.com quantal-backports/universe Translation-en_US Fetched 2,758 kB in 10s (264 kB/s) Reading package lists... Done [gaarai@linode ~]$ sudo apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: libssl-dev libssl-doc libssl1.0.0 openssl ... Current status: 0 updates [-1]. [gaarai@linode ~]$ dpkg-query -l libssl1.0.0 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=========================-=================-=================-============================== ii libssl1.0.0:amd64 1.0.1c-3ubuntu2.7 amd64 SSL shared libraries [gaarai@linode ~]$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 12.10 Release: 12.10 Codename: quantal [gaarai@linode ~]$
As can be seen from the output, the system is running version
1.0.1c-ubuntu2.7. Since the server is running Ubuntu 12.10, this is the patched version of the library.