Forums » News and Announcements

Heartbleed bug and wattOS 7 and 7.5

    • Moderator
    • 563 posts
    April 10, 2014 10:55 AM PDT

    If you have not heard, there is a good bit of news floating about regarding the heartbleed bug. It impacts several versions of OpenSSL. This bug is primarily a server issue and most clients are not impacted directly.

     

    Here is an ubuntu link that discusses this.

    http://askubuntu.com/questions/444702/how-to-patch-the-heartbleed-bug-cve-2014-0160-in-openssl

     

    Read the area regarding "How do I recover on a client"

     

    If you want to do it on your own, you can go to openssl.org yourself and get the sources (get the latest 1.0.1g)

    http://www.openssl.org/source/

     

    If you still want to patch this with some help - read on..(which is not a bad idea in any case). There are some steps to do this. Please read carefully and follow along if you are not comfortable doing this sort of thing.(you have to be connected to the internet)

     

    1. Open a terminal and enter the command 'sudo apt-get install build-essential" and provide admin credentials. This downloads tools to be able to make and compile the source files.

     

    2. Download and verify the source file mentioned above from openssl, or I will be providing a direct link and script to help you on the post following this one.

     

    3. compile and install the source file yourself, or use the shell script I am providing in the next post. (you can read it in any text editor).

     

    4. The compile and install will take a few minutes depending on the speed of your computer

     

    5. verify the version in a terminal by typing 'openssl version' it should respond with 'OpenSSL 1.0.1g 7 Apr 2014'

     

    After that you are protected from this bug reported. 

     

    You have to do this manually and not from the respositories as ubuntu 13.04 is no longer being updated by canonical which is the upstream parent of wattOS 7 and 7.5.

     

    wattOS R8 will already be patched for this and is Debian based, so it will not be an issue for that release which is coming in 30 days or less.


    This post was edited by biff baxter at April 10, 2014 10:57 AM PDT
    • Moderator
    • 563 posts
    April 10, 2014 11:21 AM PDT

    I am providing the OpenSSL source file and a small shell script to compile, install, and link the new SSL install.

     

    Please read carefully and review closely.

     

    1. Download the source file from OpenSSL or from the link below

    http://www.planetwatt.com/hb/openssl-1.0.1g.tar.gz

     

    2. Optionally download the signature file to verify its integrity (I have done this already, but feel free to make sure)

    http://www.planetwatt.com/hb/openssl-1.0.1g.tar.gz.asc

     

    3. Compile and install the source yourself, or use the shell script provided below.(feel free to open it in a text editor and read what its doing so you know and are comfortable.

    http://www.planetwatt.com/hb/openssl-upgrade.sh

     

    Pleaes note a couple things.

     

    1. You need to have build-essential installed first as mentioned in the first post

    2. place the tar.gz file and .sh file in the same directory and execute it as root (admin) -

    For example sudo ./openssl-upgrade.sh (also be sure its executable)

    3. Be patient while its being compiled and installed. Depending on the speed of your machine, it could take a few minutes as you watch the text whiz by on the screen.

    4. Once done, you can verify by simply typing "openssl version"

     

    I have tested this on wattOS 7 and 7.5 successfuly.

    • 92 posts
    April 10, 2014 5:02 PM PDT

    Thanks for the detailed and timely advice.