ROS 6, OpenSSL, and package updates?

OK guys, plot still lost!

If my RN102 says "1.0.1e 11 Feb 2013" when I run "openssl version" ....
-- how do I know if I'm running the patched version?
-- if I update it as described earlier, how will I know if it's worked?
-- how do I view the build number?
-- did they REALLY update the package but not change the version number?

better to add this in /etc/apt/sources.list :

deb http://security.debian.org/ wheezy/updates main contrib non-free


that's my opinion

don't forget to regenerate certificates and keys , restarting apache is not enough

to regenerate the certificate change the name clicking on https button

then delete keys in /etc/ssh/ (ssh_host_xxxx files) , delete also files in /root/.ssh

reboot the nas

alanwsg wrote:
-- how do I view the build number? -- did they REALLY update the package but not change the version number?

openssl version -a
will give you the build date.

It's not a new "version", per se. It's a patched old version. Debian is not bleeding edge. If you want bleeding edge, you will be ill served by "Debian stable", but there is the "Debian testing" release. Typically Debian users are looking for extreme stability and longevity.

alanwsg wrote:
OK guys, plot still lost! If my RN102 says "1.0.1e 11 Feb 2013" when I run "openssl version" .... -- how do I know if I'm running the patched version? -- if I update it as described earlier, how will I know if it's worked? -- how do I view the build number? -- did they REALLY update the package but not change the version number?

run "dpkg -l | grep openssl"

alanwsg wrote:
-- did they REALLY update the package but not change the version number?

The remediation options (see notes at http://heartbleed.com/ ... Reading IS fun!) were to upgrade to 1.0.1g or rebuild on existing version with an option to disable the problematic TLS heartbeat function. This is the latter. It also makes it a bit confusing since you'll see new revisions of what appears to be the same OpenSSL package. I hesitate to call it a patch when it's just a new alternate build, but it's certainly fixed. ;)

But this is why you need to verify the build date, since just looking at the package version may not be enough.

If you're very paranoid there is a test tool at http://filippo.io/Heartbleed/

And if you are (wisely) planning to change passwords, don't do it until you (or any affected website) have applied a fixed build AND have applied new site keys -- since /private/ keys may have been leaked and there's no way to be sure they weren't.

Still struggling a bit,

"uname -m" returns "armv71", which package do I need?

BTW, a test site [ http://filippo.io/Heartbleed/ ] does say my RN102 is currently vulnerable.

Don't forget that all services that use SSL have to be restarted. This includes software packages that set up their own secure https connections. If you're unsure, just reboot your nas after applying the patch.

Here is what I did for my OS 6.1.6 on a legacy atom (amd64). Thanks especially goes to MueR, fastfwd & super-poussin. A disclaimer : if you are unsure of anything ask the gourous here on the forum, or have a look on : http://www.siteground.com/tutorials/ssh ... leting.htm
note: Please tell if you find any mistake or if something wasn't clear.

STEP 0: checking what you have and if you really need to do anything at all :

root@NAS:~# dpkg -l | grep openssl
ii  openssl                         1.0.1e-2+deb7u3               amd64        Secure Socket Layer (SSL) binary and related cryptographic tools
root@NAS:~# openssl version -b
built on: Mon Jan  6 19:32:28 UTC 2014

STEP 1: 'upgrading' openssl to deb7u11 (note that it would be different for other hardware or other readynas OS version), and maybe restarting apache & ssh.

wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.0.1e-2+deb7u11_amd64.deb
dpkg -i openssl_1.0.1e-2+deb7u11_amd64.deb

STEP 1bis: verify

root@NAS:~# dpkg -l | grep openssl
ii  openssl                         1.0.1e-2+deb7u11               amd64        Secure Socket Layer (SSL) binary and related cryptographic tools
root@NAS:~# openssl version -b
built on: Mon Jan  6 19:32:28 UTC 2014

STEP 2: do the same for libssl (eventually check with dpkg -l | grep libssl), and restart apache2 & ssl :

wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1e-2+deb7u11_amd64.deb
dpkg -i libssl1.0.0_1.0.1e-2+deb7u11_amd64.deb
service apache2 restart
service ssh restart

STEP 3: via web interface go to System>Settings>Services, click on HTTPS & change the name in order to regenerate the certificates. Then delete the keys in /etc/ssh/ (ssh_host_xxxx files), & delete also files in /root/.ssh . Optional : after deleting with the rm command, check with the ls command (just to be sure).

root@NAS:~# ls /etc/ssh/ 
moduli	     ssh_host_dsa_key	   ssh_host_ecdsa_key.pub
ssh_config   ssh_host_dsa_key.pub  ssh_host_rsa_key
sshd_config  ssh_host_ecdsa_key    ssh_host_rsa_key.pub
root@NAS:~# rm /etc/ssh/ssh_host_*.pub
root@NAS:~# rm /etc/ssh/ssh_host_*
root@NAS:~# rm /root/.ssh/id_rsa.pub
root@NAS:~# rm /root/.ssh/id_rsa

STEP 3bis: some people could need to do this (if they have a mac) : http://blog.tinned-software.net/ssh-rem ... s-changed/

STEP 4: -> REBOOT your NAS

root@NAS:~# rn_shutdown -r

then CHANGE your root password only after you finished the whole process (there is no way to tell if the keys were not leaked). Final check on a test tool http://filippo.io/Heartbleed/

updated 20th June 2014 : openssl_1.0.1e-2+deb7u5_amd64.deb changed for "deb7u11" (dated 4 June 2014) and libssl1.0.0_1.0.1e-2+deb7u6_amd64.deb for "deb7u11".
cf : https://security-tracker.debian.org/tra ... -2014-0224

I installed the patch and rebooted my ReadyNAS 312. Although I show this:

# dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version          Architecture     Description
+++-======================-================-================-==================================================
ii  openssl                1.0.1e-2+deb7u6  amd64            Secure Socket Layer (SSL) binary and related crypt
# openssl version -b
built on: Mon Jan  6 19:32:28 UTC 2014

a Heartbleed test program says that it is still vulnerable.

hunger wrote:
I installed the patch and rebooted my ReadyNAS 312. Although I show this: .... openssl 1.0.1e-2+deb7u6 amd64 Secure Socket Layer (SSL) binary and related crypt .... a Heartbleed test program says that it is still vulnerable.

What is the output of this command?

dpkg -l | grep libssl