29

It seems like Raspbian has not been updated yet to deal with the Heartbleed bug. sudo apt-get update then sudo apt-get upgrade doesn't update anything (this is a system which was freshly updated yesterday so it is all up to date otherwise).

When I do sudo apt-get install openssl it tells me the latest version is installed, while openssl version tells me 1.0.1e is still installed. The first non-vulnerable version of OpenSSL is 1.0.1g, so how do I update to this?

Jamie Bull
  • 1,137
  • 3
  • 9
  • 22

1 Answers1

27

The core affected package is libssl1.0.0, which if you can, just replace with the patched version, restart everything. You can try to download a binary, and manually install an arm-hf, using dpkg with the version 1.0.1e-2+deb7u5 for wheezy.

You can also use the jessie repository, just for this single one time update, which should get you version 1.0.1g-1.

After install and reboot you it is strongly recommended to revoke all keys and certificates and regenerate everything from scratch, using new passwords and vectors.

As of 09/04/2014 the main wheezy repository uses the patched version 1.0.1e-2+deb7u5 and as commented, you can get it like this:

> sudo apt-get update 
> sudo apt-get upgrade

Which will update the following packages:

libssl1.0.0 openssh-client openssh-server openssl ssh

*Here is how to selectively upgrade certain packages using jessie repository, without completely breaking wheezy, and will install the latest g version

Add the following two lines into /etc/apt/sources.list

deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi
deb http://archive.raspbian.org/raspbian jessie main contrib non-free rpi

You then edit the file /etc/apt/preferences (create the file if doesn't exist) to tell apt in which repositories it should look to do an update. We put jessie on a low priorty so that when you use apt-get update it will ignore jessie and use wheezy repo instead. This is important for the step after this one.

Package: *
Pin: release n=wheezy
Pin-Priority: 900

Package: *
Pin: release n=jessie
Pin-Priority: 300

Package: *
Pin: release o=Raspbian
Pin-Priority: -10

Now, at your free will you can tell apt to use jessie instead.

apt-get update
apt-get -t jessie install openssl libssl1.0.0 openssh-client openssh-server ssh

*An extract from Chapter 6, Raspberry Pi Server Essentials.

Piotr Kula
  • 17,336
  • 6
  • 66
  • 105