OpenSSL Heartbleed patches for Ubuntu 13.04
The heartbleed bug has certainly taken things by storm this week as everyone is patching systems, generating new certs, revoking old, invalidating user tokens, and likely resetting passwords.
At Apcera, we were certainly hard at work getting updates rolled out to ensure we weren’t vulnerable. Phil Pennock even put together an nginx module to log the version of OpenSSL that nginx was using and ensure it errors out if it doesn’t have the correct version.
In the course of rolling out updates though, we still had a need for patching OpenSSL on Ubuntu 13.04 (raring). Raring has been End of Lifed, however Continuum can have multiple base OSes loaded into a cluster, and we still had customer clusters that had the old release and were using it. We also have some systems on it still, as we were holding out for 14.04 which is only a week away.
So we rolled a patched version of OpenSSL for raring using the existing build and grabed the patches from saucy and applied them. We’d seen other people asking about how to patch raring systems flying by on Stack Overflow and other places, and decided it wouldn’t hurt to simply share the packages we’d put up.
The SHA1 checksums for them are (sorry for the line wrapping):
714fcb1d7944e60c2c44a103bd851f51607b1c56 libssl1.0.0_1.0.1c-4ubuntu8.2apcera1_amd64.deb 6ae5c0041e86829cc301dcead06efd01fb7d9b0c libssl1.0.0-dbg_1.0.1c-4ubuntu8.2apcera1_amd64.deb c5e3947832b54a1d1e5d8e8c0163e83b3eb21523 libssl-dev_1.0.1c-4ubuntu8.2apcera1_amd64.deb 0b62f240323ce02d83e84734dadde0bf5fb1b850 libssl-doc_1.0.1c-4ubuntu8.2apcera1_all.deb 0c135bd9e9370d4532c8c2beb51fefffc1a51231 openssl_1.0.1c-4ubuntu8.2apcera1_amd64.deb
Also, we have made them available from a simple apt repository. You can simply
add the following to your
/etc/apt/sources.list, do an
apt-get update, and
grab the packages.
deb https://apcera-apt.s3.amazonaws.com public raring-openssl
The apt repo is signed by my own Apcera GPG key. You’d likely a message about not trusting the signing key. You can retrieve my key using the following command:
# apt-key adv --recv-keys --keyserver keyserver.ubuntu.com DB4363B3 Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /tmp/tmp.nWjupL3SrM --trustdb-name /etc/apt//trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --recv-keys --keyserver keyserver.ubuntu.com DB4363B3 gpg: requesting key DB4363B3 from hkp server keyserver.ubuntu.com gpg: key DB4363B3: public key "Ken Robertson <email@example.com>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
I don’t necessarily expect people to persist a keeping my key there, or wanting the apt repo for anything long term, so you can remove the apt repo afterwards and remove my key with:
# apt-key del DB4363B3 OK