Patching Heartbleed


#1

Hi gents, one question.

What’s the best way to patch Heartbleed bug on a Ubuntu Server 13.10 installation without Docker?
Any recommended approach?

Tks!


(Kane York) #2

Just install the new openssl packages from the repositories and restart all services using it.

(If you don’t care about your precious uptime, restarting the whole server works too.)


(Rikki Tooley) #3

And according to Netcraft you need to reissue your SSL certs as well.


(Michael Brown) #4

Let’s be clear here - reissuing your SSL certs against existing keys won’t help. You need to generate new private keys (and thus new certificates based on those).


(Michael Lapidakis) #5

I’ve updated the entire server, docker and discourse. Destroyed and bootstrapped the container and rebooted the entire server. My site is still showing up as vulnerable. What am I missing here?


(Michael Brown) #6

Have you pulled the latest discourse-docker?

The updated image (0.2.0) is necessary and the templates have changed to reflect that.

docker images --tree should show the ancestry similar to:

…
│         └─7fbcf08c75da Virtual Size: 804.8 MB
│           └─610a44f81f75 Virtual Size: 1.124 GB Tags: samsaffron/discourse:0.2.0
│             ├─656cc0013dad Virtual Size: 1.916 GB Tags: discourse/test:latest

(Michael Lapidakis) #7

I ended up running the docker build from your post below and rebuilding. I did this after pulling the latest discourse-docker build.

Thanks!