Saturday, 13 February 2016

LPIC-3 320.1 Avoiding the Heartbleed Bug by Installing from Source

LPIC-3 Objective 320.1


In this tutorial we look at the real need to work with the very latest version of software from the source when security is involved.

Even though it is most likely that recent distribution updates will include  later version of OpenSSL we need to make sure that we avoid version 1.01 through to version 1.0.1f as these are affected by the Heartbleed bug. Earlier versions in the 1.0.0 branch are fine as is 0.9.8. A quick check on my Raspberry Pi and it is running OpenSSL version 1.0.1e, not good.

The version of openSSL can be checked running:

$ openssl version

This is true in the Raspberry Pi up to and including the latest version of Debian Wheezy, 7.8 Image that I downloaded  during February 2016:

LPIC-3, LPI Tutorials and Materials, LPI Guides, LPI Certifications

In any case, it is your responsibility to ensure your system is running safely and securely and often that does mean downloading from source.  The latest version from OpenSSL currently as this is written is 1.0.2 and this is what we will download and compile:

$ cd 
wget https://www.openssl.org/source/openssl-1.0.2.tar.gz
tar -xzvf openssl-1.0.2.tar.gz
cd openssl-1.0.2
./configure
make 
sudo make install

LPIC-3, LPI Tutorials and Materials, LPI Guides, LPI Certifications
Once installed we should be able to see the new version and relax knowing that our system is now safe from Heartbleed. To display more information about OpenSSL we can use the option:

$ openssl -a

There will be more tutorials following to help with this LPIC-3 objective but for the moment lets ensure we are are running 1.0.1f or later and watch the video: