0

I just got a software update openssl-1.0.1e-37. I believe it is a patch for HeartBleed. Given that it was widely reported that versions up to 1.0.1f are vulnerable, how can I verify this patch on my server without resorting to an external checker?

Question Overflow
  • 5,250
  • 6
  • 27
  • 48
  • If you have 1.0.1e installed and versions up to 1.0.1f are vulnerable then your version is currently vulnerable. If you even THINK you are vulnerable you should update OpenSSL and revoke your certificate. You can also disable the SSL/TSL Heartbeat feature as an additional security measure – Ramhound Apr 11 '14 at 04:31
  • 1
    @Ramhound, vendor packages often backport fixes while retaining the older version numbers - see the [Red Hat advisory](https://rhn.redhat.com/errata/RHSA-2014-0376.html) which states "these updated packages... contain a backported patch to correct this issue" and provide 1.0.1e packages. – gowenfawr Apr 11 '14 at 04:45
  • @gowenfawr - I can't even tell what version that advisory effects and what version fixes the reported problem. I consider myself to be a smart individual, didn't realize RHS backpatched it granted, but holly cow that advisory is complete non-sense. – Ramhound Apr 11 '14 at 04:52
  • +1 after trying to read the Red Hat advisory. The real shame is that this *should* have been a bad question, but if Red Hat is typical of the breed, then they are the ones that need shaming. – RBerteig Apr 11 '14 at 06:48

2 Answers2

3

I was able to download this tool and put it on one of my systems so that I could test my hosts without an external checker:

heartbleeder

The results were consistent with what I expected (dirty to clean after patching, and the one time it didn't clean up after patching, further investigation showed the tool was right and I hadn't patched every copy of the openssl library).

And by the way, what you're describing is incredibly common. Many distributions (RHEL in particular) backport patches without changing the old rev. Red Hat actually takes the cake for this one - openssl-1.0.1e-16.el6_5.4 is the bad old RPM, and openssl-1.0.1e-16.el6_5.7 is the fixed new RPM. Really, Red Hat? You couldn't have nudged -16 up to -17?

Update:

In answer to @question-overflow's comment, here's an excellent dissection of the issue including walkthrough of the code and links to full source.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • It's a headache for sure. Especially considering most of the notices sent out don't mention Red Hat version numbers. +1 for a clear answer. – David Houde Apr 11 '14 at 05:50
  • Thanks for giving me a plausible method. By the way is it at all possible to test by just `grepping` for the offending line in the downloaded patch? Just wondering. – Question Overflow Apr 11 '14 at 10:52
0

Qualsys SSL Labs is currently testing for garbage return to detect HeartBleed and several other vulnerabilities found on web servers. It also tracks down some configurations that can cause serious problems with SSL/TLS security.

https://www.ssllabs.com/ssltest/

Fiasco Labs
  • 1,557
  • 10
  • 12