NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

btaroli's avatar
btaroli
Prodigy
Apr 08, 2014

ROS 6, OpenSSL, and package updates?

No sooner do I read this evening that Fedora and others a re quickly working to get OpenSSL 1.0.1e out to fix the latest TLS bug that I log into my 516 to see what version it's running. Oh my, 1.0.1e....
Installation & Upgrade
arnomc's avatar
arnomc
Aspirant
Apr 10, 2014
Here is what I did for my OS 6.1.6 on a legacy atom (amd64). Thanks especially goes to MueR, fastfwd & super-poussin. A disclaimer : if you are unsure of anything ask the gourous here on the forum, or have a look on : http://www.siteground.com/tutorials/ssh ... leting.htm
note: Please tell if you find any mistake or if something wasn't clear.

STEP 0: checking what you have and if you really need to do anything at all :
root@NAS:~# dpkg -l | grep openssl
ii  openssl                         1.0.1e-2+deb7u3               amd64        Secure Socket Layer (SSL) binary and related cryptographic tools
root@NAS:~# openssl version -b
built on: Mon Jan  6 19:32:28 UTC 2014

STEP 1: 'upgrading' openssl to deb7u11 (note that it would be different for other hardware or other readynas OS version), and maybe restarting apache & ssh.
wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.0.1e-2+deb7u11_amd64.deb
dpkg -i openssl_1.0.1e-2+deb7u11_amd64.deb

STEP 1bis: verify
root@NAS:~# dpkg -l | grep openssl
ii  openssl                         1.0.1e-2+deb7u11               amd64        Secure Socket Layer (SSL) binary and related cryptographic tools
root@NAS:~# openssl version -b
built on: Mon Jan  6 19:32:28 UTC 2014

STEP 2: do the same for libssl (eventually check with dpkg -l | grep libssl), and restart apache2 & ssl :
wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1e-2+deb7u11_amd64.deb
dpkg -i libssl1.0.0_1.0.1e-2+deb7u11_amd64.deb
service apache2 restart
service ssh restart

STEP 3: via web interface go to System>Settings>Services, click on HTTPS & change the name in order to regenerate the certificates. Then delete the keys in /etc/ssh/ (ssh_host_xxxx files), & delete also files in /root/.ssh . Optional : after deleting with the rm command, check with the ls command (just to be sure).
root@NAS:~# ls /etc/ssh/ 
moduli	     ssh_host_dsa_key	   ssh_host_ecdsa_key.pub
ssh_config   ssh_host_dsa_key.pub  ssh_host_rsa_key
sshd_config  ssh_host_ecdsa_key    ssh_host_rsa_key.pub
root@NAS:~# rm /etc/ssh/ssh_host_*.pub
root@NAS:~# rm /etc/ssh/ssh_host_*
root@NAS:~# rm /root/.ssh/id_rsa.pub
root@NAS:~# rm /root/.ssh/id_rsa

STEP 3bis: some people could need to do this (if they have a mac) : http://blog.tinned-software.net/ssh-rem ... s-changed/

STEP 4: -> REBOOT your NAS 
root@NAS:~# rn_shutdown -r

then CHANGE your root password only after you finished the whole process (there is no way to tell if the keys were not leaked). Final check on a test tool http://filippo.io/Heartbleed/

updated 20th June 2014 : openssl_1.0.1e-2+deb7u5_amd64.deb changed for "deb7u11" (dated 4 June 2014) and libssl1.0.0_1.0.1e-2+deb7u6_amd64.deb for "deb7u11".
cf : https://security-tracker.debian.org/tra ... -2014-0224

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More