Question

28

Why unattended-upgrades does not fix heartbleed bug?

rated 0 times [ 28] [ 0] / answers: 1 / hits: 18966 / 2 Years ago, sun, august 28, 2022, 1:18:41

I've followed the instruction to install unattended-upgrades to install automatic security updates on my server (ubuntu server 13.10).

https://help.ubuntu.com/community/AutomaticSecurityUpdates

Can you help me to understand why this morning I still have the heartbleed bug on my server ?

$ openssl version -a

OpenSSL 1.0.1e 11 Feb 2013

built on: Wed Jan  8 20:58:47 UTC 2014

platform: debian-amd64

other information:

$ cat /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Unattended-Upgrade "1";



$ cat /var/log/apt/history.log

....

Start-Date: 2014-04-03  15:33:59

Commandline: apt-get install nginx

Install: libxau6:amd64 (1.0.8-1, automatic), libx11-data:amd64 (1.6.1-1ubuntu1, automatic), libxcb1:amd64 (1.9.1-3ubuntu1, automatic), libvpx1:amd64 (1.2.0-2, automatic), libgd3:amd64 (2.1.0-2, automatic), libxdmcp6:amd64 (1.1.1-1, automatic), libxslt1.1:amd64 (1.1.28-2, automatic), nginx-common:amd64 (1.4.1-3ubuntu1.3, automatic), nginx:amd64 (1.4.1-3ubuntu1.3), nginx-full:amd64 (1.4.1-3ubuntu1.3, automatic), libx11-6:amd64 (1.6.1-1ubuntu1, automatic), libxpm4:amd64 (3.5.10-1, automatic)

End-Date: 2014-04-03  15:34:02



Start-Date: 2014-04-04  10:26:38

Commandline: apt-get install unattended-upgrades

Install: unattended-upgrades:amd64 (0.79.3ubuntu8)

End-Date: 2014-04-04  10:26:40

Thank you

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ndaavi

Add To Favorites

Follow

Total Points: 169

Total Questions: 116

Total Answers: 113

Location: Falkland Islands

Member since Wed, Dec 23, 2020

3 Years ago

answered 2 Years ago errettas · Accepted Answer

You do not have the Heartbleed vulnerability on your server, OpenSSL has been patched to fix this issue (without upgrading it).

You have left out several important lines in the OpenSSL version output, that's how you know it's been patched, not with the version number:

openssl version -a                                                                ✭

OpenSSL 1.0.1e 11 Feb 2013

built on: Mon Apr  7 20:33:19 UTC 2014

platform: debian-amd64

options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 

compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

OPENSSLDIR: "/usr/lib/ssl"

The 'build on' line is what matters here, Apr. 7 or after: you're good. Otherwise: you're in trouble.

Update, since the build date doesn't seem to be good:

Maybe the unattended upgrade hasn't run yet, on my server the scripts in cron.daily are configured to run at 6:25

25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

Also, check the contents of /etc/apt/apt.conf.d/10periodic and check that security updates are installed:

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "7";

APT::Periodic::Unattended-Upgrade "1";

Source: https://help.ubuntu.com/lts/serverguide/automatic-updates.html