OpenSSL 1.0.1m Update

By dirkkelly

Thursday, Mar 19, 2015

Slack Announcement

For those who were following along with Open SSL #security update today 1.0.1m which was released today. There wasn’t a lot to talk about, we avoided the only high issue which could occur, event that was only a DDOS.

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.

Source

Whilst our three upstreams have still not distributed a release (which I don’t think is good enough) the issues themselves aren’t that bad. I appreciate that there appears to be more of a system evolving around the disclosure of these issues though.

Anyone running an instance of OpenSSL 1.0.2 is urged to upgrade, even if your upstream provider has been slow on a release. Otherwise be on top of the event, set yourself a daily alert to check in. If you have any questions about it, you can shoot them to me.

Ubuntu Trusty

Ubuntu Trusty, no OpenSSL Update

Debian Wheezy

:warning: experiment/accidental OS

Debian Wheezy, no OpenSSL update

Amazon AMI

:bomb: We hate AMI, they never update anything. They never respond to security announcements with anything useful.

Amazon AMI, no OpenSSL Update

Trusting the Community

Using Ubuntu LTS means that we’re accepting we won’t see new packages distributed that often. In the past when there have been severe security leaks we have had packages released same day.

Today has shown to be a low level threat event, this is great. What is even better is that we were in the office at 9am with bagels and coffee ready to go. All of a sudden at 10am the official announcement went out. We started noting the event out in Github.

Github Issues

Thanks to a cryptic, but informative announcement a few days ago we were ready to go with our response plan.

Announcement

So it was a no big deal, but maybe there are ways we can be more involved in our operating system environments than we currently are. A big win over the past few weeks has been the introduction of immutability into our server creation process.

This means that we are able to build new servers and test they work correctly, and then live swap to the new environment when we’re ready to go live. Once things are ensured to be running correctly we can destroy the old server.

It’s been a while to go getting here, huge thanks to NathanHarper who was able to get environment variables working across all of our PHP applications.

Removed Envvars

Check out dem greens vs reds. Cheers for tidying up a bunch of junk Natho!

How do you keep track of security updates and maintain a stable operating system base, do you have a schedule, process or idea that you try to stick to? Let us know below, we’re always trying to improve.