The Heartbleed Bug is a major vulnerability in the OpenSSL library. OpenSSL is extremely popular and is used as the cryptography library behind the scenes for countless secure applications. By now you’ve probably heard about it and its widespread implications. We’re not going to rehash it here, see: heartbleed.com
Roller Network uses Debian Linux as the OS of choice for our servers. However, we do not generally stay on the “bleeding edge” of updates, and in this case that has served us well.
- Debian 6.0″squeeze” utilizes the OpenSSL 0.9.8 release. This is the previous stable release. (See debian.org/releases/ for more information.)
- Debian 7.0 “wheezy” utilizes the OpenSSL 1.0.1 release. See: http://www.debian.org/security/2014/dsa-2896
OpenSSL 0.9.8 is not, and has not been, vulnerable to “heartbleed”. Only the newer OpenSSL 1.0.1 through 1.0.1f is vulnerable.
So where does that leave us? The good news is that we were still Debian 6.0 “squeeze” at the time of this security fiasco because we don’t like to jump right into the latest release for the sake of updating. The Debian security team still provides security updates to the previous stable release (also known as “oldstable”) for a period of time, so we’re in no rush to upgrade. Specific software that we do want to have newer versions of are either obtained from Debian backports or compiled manually. We like to take a wait-and-see approach before upgrading Debian distributions.
Here’s a rundown of the major services:
- Incoming mail servers (MX servers): Debian 6.0; not vulnerable, no risk.
- Hosted mail services (POP3, IMAP, Sieve): Debian 6.0; not vulnerable, no risk.
- Outbound mail services (SMTP AUTH, smarthost): Debian 6.0; not vulnerable, no risk.
- Webmail clients (Squirrrelmail and Roundcube, EV cert): Debian 6.0; not vulnerable, no risk.
- Primary and Secondary DNS Servers: Debian 6.0; not vulnerable, no risk.
- Account Control Center (acc.rollernet.us, EV cert): Debian 6.0; not vulnerable, no risk.
- LDAP, RADIUS, and SQL database servers: Debian 6.0; not vulnerable, no risk.
This is great news for our customers: at no time were any password-accepting Roller Network servers running a distribution that was affected by “heartbleed”. We did have an internal server in the office running Debian 7.0 and it’s been patched, SSH keys regnerated, and its SSL cert (signed by our internal CA) reissued.