In Valid Logic

Endlessly expanding technology

OpenSSL Heartbleed patches for Ubuntu 13.04

The heartbleed bug has certainly taken things by storm this week as everyone is patching systems, generating new certs, revoking old, invalidating user tokens, and likely resetting passwords.

At Apcera, we were certainly hard at work getting updates rolled out to ensure we weren’t vulnerable. Phil Pennock even put together an nginx module to log the version of OpenSSL that nginx was using and ensure it errors out if it doesn’t have the correct version.

In the course of rolling out updates though, we still had a need for patching OpenSSL on Ubuntu 13.04 (raring). Raring has been End of Lifed, however Continuum can have multiple base OSes loaded into a cluster, and we still had customer clusters that had the old release and were using it. We also have some systems on it still, as we were holding out for 14.04 which is only a week away.

So we rolled a patched version of OpenSSL for raring using the existing build and grabed the patches from saucy and applied them. We’d seen other people asking about how to patch raring systems flying by on Stack Overflow and other places, and decided it wouldn’t hurt to simply share the packages we’d put up.

These packages were built using brew2deb by Aman Gupta, with these patches added in.

The SHA1 checksums for them are (sorry for the line wrapping):

714fcb1d7944e60c2c44a103bd851f51607b1c56  libssl1.0.0_1.0.1c-4ubuntu8.2apcera1_amd64.deb
6ae5c0041e86829cc301dcead06efd01fb7d9b0c  libssl1.0.0-dbg_1.0.1c-4ubuntu8.2apcera1_amd64.deb
c5e3947832b54a1d1e5d8e8c0163e83b3eb21523  libssl-dev_1.0.1c-4ubuntu8.2apcera1_amd64.deb
0b62f240323ce02d83e84734dadde0bf5fb1b850  libssl-doc_1.0.1c-4ubuntu8.2apcera1_all.deb
0c135bd9e9370d4532c8c2beb51fefffc1a51231  openssl_1.0.1c-4ubuntu8.2apcera1_amd64.deb

Also, we have made them available from a simple apt repository. You can simply add the following to your /etc/apt/sources.list, do an apt-get update, and grab the packages.

deb public raring-openssl

The apt repo is signed by my own Apcera GPG key. You’d likely a message about not trusting the signing key. You can retrieve my key using the following command:

# apt-key adv --recv-keys --keyserver DB4363B3
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
--secret-keyring /tmp/tmp.nWjupL3SrM --trustdb-name /etc/apt//trustdb.gpg
--keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
--recv-keys --keyserver DB4363B3
gpg: requesting key DB4363B3 from hkp server
gpg: key DB4363B3: public key "Ken Robertson <>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

I don’t necessarily expect people to persist a keeping my key there, or wanting the apt repo for anything long term, so you can remove the apt repo afterwards and remove my key with:

# apt-key del DB4363B3

Thursday, April 10, 2014

blog comments powered by Disqus