#1 By: Matthew Bloch, April 7th, 2014 20:38
Here's how we're responding to the OpenSSL vulnerability announced at http://heartbleed.com/
This is a very serious security vulnerability in software that is deployed on almost every up-to-date Linux server, including those at Bytemark. It allows a knowledgeable attacker to steal SSL keys, or other sensitive data from your server, and should not go unpatched. Unfortunately it is not clear at the moment that there is any way to know whether this has already happened, since the vulnerability has been around for 2 years.
Most of Bytemark's servers are configured to automatically install new security updates, and to restart affected services. This will cause a brief outage over most of your internet-facing services, for a few seconds, and as with any restart, a risk that the restart won't work. We're here if this happens to you.
Users of Symbiosis and most managed customers will be upgraded automatically over the next 24 hours.
Some managed customers have requested manual security updates, and will be upgraded manually.
Everyone else is advised to read the security advisory and take action - our support team will be on hand to help diagnose and reassure you if you phone or email us.
You may want to contact your SSL certificate vendor and request a new certificate to completely cover yourself. If you need a new certificate Bytemark can supply and install them for £69, but many vendors may reissue yours for free. We are waiting for reaction from certificate vendors before advising here.
Thanks for your patience - we are expecting a little higher load on support over the next couple of days but will get back to you as quickly as possible on this important internet-wide problem.
#2 By: Ian Chilton, April 8th, 2014 03:17
There was a slight typo in one of the links to the advisory above - you can find it here: http://heartbleed.com
#3 By: Christian De Larrinaga, April 8th, 2014 08:32
Thank you for the advisory.
I assume generating fresh keys with a vulnerable version of OpenSSL is not helpful?
So the action recommended for Symbiosis users is to do so using an older version or wait until after Symbiosis is updated to OpenSSL to vers 1.01g. At this time my wheezy service is on OpenSSL 1.0.1e 11 Feb 2013 which is is not secure.
My older bytemark shared volumes are using OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 which appears to be OK according the info I've seen so far and so no further action is needed.
#4 By: Patrick Cherry, April 8th, 2014 17:23
Symbiosis uses the ordinary Debian security updates, and so you can just run
apt-get update followed by
apt-get upgrade to upgrade everything. That should restart (at least) the following services
as well as others. Please make sure those services have been restarted. Additionally you may want to regenerate any SSL keys on your server, and request corresponding new SSL certificates where necessary.
#5 By: Christian De Larrinaga, April 15th, 2014 03:23
As of this morning - apt-get update/upgrade take openssl to OpenSSL 1.0.1e 11 Feb 2013 not to 'g' .
Presumably this means either waiting for an official update for wheezy or recompiling locally https://www.openssl.org/news/secadv_20140407.txt
#6 By: David Wilkinson, April 15th, 2014 04:02
It should be a patched version of 1.0.1e, if the installed package is 1.0.1e-2+deb7u5 then it's not vulnerable.
You need to make sure you have the security repo in your apt sources.
deb http://security.debian.org/ wheezy/updates main contrib non-free
#7 By: Christian De Larrinaga, April 15th, 2014 06:25
the update gave me 1.0.1e-2+deb7u6
apt-cache policy openssl
*** 1.0.1e-2+deb7u6 0
500 http://security.debian.org/ wheezy/updates/main amd64 Packages
500 http://mirror.bytemark.co.uk/debian/ wheezy/main amd64 Packages
#8 By: David Wilkinson, April 15th, 2014 06:40
Then it should be fine, I mean to say u5 and up.
If I recall correctly u6 tries to advise you on which services you need to restart for the patch to take affect, I have found it doesn't catch all services and tends to miss Apache.
#9 By: Matthew Bloch, April 15th, 2014 19:15
I am writing a follow-up post at the moment on how to handle your data after patching heartbleed. Just waiting for a bit of feedback from the rest of the team.
#10 By: Matthew Bloch, April 16th, 2014 18:46
Here it is: