OpenSSL CVE-2014-0160 (heartbleed)

An upstream OpenSSL bug (referred to as ‘heartbleed’) has been patched in the upstream distro to FreePBX.

We’ve added the updated packages to our yum repositories and the mirrors are syncing now.

Run the command ‘yum update openssl’ on your box. Please note you need to be on a 5.211.65 or 6.211.65 release to get this updated RPM. The package will also be included in the next upgrade scripts but since this is a pretty big exploit we did not want to make users wait for the next upgrade.

If you are using FreePBX on a non FreePBX Distro system we recommend you upgrade openssl to a newer version that includes this patch immediately.

More information can be found here:

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

–
Derek
aka goozbach

I believe this post should be moved to the distro specific forum. It won’t work if you don’t use the FreePBX repos and certainly won’t work on non “non-Centos” setups.

Well we want it here to get the most coverage so it will stay here. This is general FreePBX help which includes the Distro

Then for those who need a more general fix there is:-

http://heartbleed.com/

Debian based systems such as RasPBX and Ubuntu will be patched with an apt-get update.

But thanks for the heads-up.

I would also suggest that you never run ssh on port 22 and you only allow private key connections. This is also effective prophylaxis.

Dicko - SSH not effected:

It’s worth pointing out that OpenSSH is not affected by the OpenSSL bug. While OpenSSH does use openssl for some key-generation functions, it does not use the TLS protocol (and in particular the TLS heartbeat extension that heartbleed attacks). So there is no need to worry about SSH being compromised, though it is still a good idea to update openssl to 1.0.1g or 1.0.2-beta2 (but you don’t have to worry about replacing SSH keypairs). – dr jimbob 6 hours ago

Good news for old versions, I guess. Thank you very much for the info. I’ll talk to the boss about getting Schmoozecom Support’s quote for the upgrade.

Regards,
Brent

Hi, not sure if I can ask a basic question here. Stop reading here if not.

I tried to run ‘yum update openssl’ on my freepbx/schmoozecom appliance and it downloaded but said 'no packages marked for update’
I checked the release and got:
[root@localhost ~]# cat /etc/centos-release
CentOS release 6.2 (Final)

Did I miss something?
I don’t know CentOS, I just carefully read what to do and do exactly that. Probably dangerous.

Regards,
Brent

Brent, that is an older system which IIRC isn’t vulnerable to the bug. You may want to upgrade though, and when you do you’ll automatically get the fixed software.

We are happy to help you but be aware there are self service options as well.
http://wiki.freepbx.org/display/FD/Updating+FreePBX+Official+Distro

Why didn’t I have Sys Admin Pro before? For $25 my life just got much easier.

Thanks,
Brent

One more question then that’s it, promise. Now I’m at
PBX Firmware: 5.211.65-11
PBX Service Pack: 1.0.0.0

and I tried to run ‘yum update openssl’ again and it still says ‘no packages marked for update’

Is that because my now up to date system already has the update?

The Heartbleed.com website lists 1.0.1e-15 on CentOS to be vulnerable, and recommends 1.0.1g.
On all systems I’m on 5.211.65-11, but “yum list openssl” returns Installed Packages
openssl.i686 1.0.1e-16.el6_5.7 @updates and “yum update openssl” says No Packages marked for Update
What now?

1.0.1e-16.el6_5.7 contains the backported fixes from the upstream projects.

what is the output of `rpm -q openssl’ ? See the version below for comparison.

[root@localhost ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.7.i686

Thanks for the help,
Brent

Argh, should have read all the post!

Question answered, thanks again.

[root@localhost ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.7.i686

brent

Great! Thanks.