0

I installed GitLab 6.6.5 via the omnibus package on Ubuntu 12.04 LTE. My question is will the Ubuntu OpenSSL heartbleed update cover the GitLab's installation? The installation has an embedded nginx that is installed. I have enabled SSL via the GitLab Omnibus Merge Request #66.

jww
  • 97,681
  • 90
  • 411
  • 885
Curtis Kelsey
  • 716
  • 8
  • 32
  • This question appears to be off-topic because it is about software versions, administration and patching. Server Fault has quite a few questions on the topic: https://serverfault.com/questions/tagged/heartbleed. – jww Apr 09 '14 at 11:06

2 Answers2

3

Having an embedded NGinX doesn't mean it won't use the /usr/bin/openssl installed on your system. (for instance, the ngx_http_ssl_module does require openssl)

If that openssl is 1.0.1g or 1.0.2, you won't have any issue.

openssl version

If not, it is easy enough to recompile it and install it.

To be sure, you can type:

ldd /path/to/nginx

That will give you the path of the openssl used by the binary nginx.
To get the full path, you can then use

readlink -f /path/to/libssl.so.1.0.0

Bruno adds in the comments:

It's probably more about /lib/*/libssl.so.1.0.0 than /usr/bin/openssl (which ldd should indicate indeed).
In principle, upgrading to the package with the fix and restarting NGinX should fix the issue.

Also note that the version numbers in distribution packages (e.g. Ubuntu) don't necessarily match the official version numbers exactly, because they tend to keep the same version number (for the same features), but backport the security patches

The OP crushedGrass points out in the comments Jacob Vosmaer (jacobvosmaer)'s commit "Update omnibus-software (CVE-2014-0160)", in omnibus-gitlab

so all I had to do was run a reconfiguration.
I believe both your and Bruno's feedback is spot on, there are just more dependencies that have to match up.
GitLab uses Chef cookbooks to configure the setup and I definitely do not know enough about it to modify it downstream.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • It's probably more about `/lib/*/libssl.so.1.0.0` than `/usr/bin/openssl` (which `ldd` should indicate indeed). In principle, upgrading to the package with the fix *and* restarting NGinX should fix the issue. Also note that the version numbers in distribution packages (e.g. Ubuntu) don't necessarily match the official version numbers exactly, because they tend to keep the same version number (for the same features), but backport the security patches. – Bruno Apr 08 '14 at 20:37
  • @Bruno Ok. I have included your comment in the answer for more visibility. – VonC Apr 08 '14 at 20:41
  • Tried creating a symbolic link to replace `/opt/gitlab/embedded/lib/libssl.so.1.0.0` with `/lib/*/libssl.so.1.0.0`. After restarting the stack with `gitlab-ctl restart` all I get is a 502 error. I noticed that the GitLab package uses it's own openssl in `/opt/gitlab/bin/` – Curtis Kelsey Apr 08 '14 at 21:47
  • @crushedGrass `/lib/*/libssl.so.1.0.0` was a shortcut way to say: "it is somewhere in `/lib`": it is *not* a path for you to copy-paste. If GitLab uses its own openssl, simply type `/opt/gitlab/bin/openssl version` to check its version and see if you are vulnerable to this bug. – VonC Apr 09 '14 at 05:37
  • I got it updated last night. Jacob Vosmaer pushed an [update from upstream](https://gitlab.com/gitlab-org/omnibus-gitlab/commit/bcc4ccbfa6c3ce716b3c3ab7317a80c8c352ff96) so all I had to do was run a reconfiguration. I believe both your and Bruno's feedback is spot on, there are just more dependencies that have to match up. GitLab uses Chef cookbooks to configure the setup and I definitely do not know enough about it to modify it downstream. Thanks for the help. – Curtis Kelsey Apr 09 '14 at 15:38
  • @crushedGrass Excellent. I have included your comment in the answer for more visibility. – VonC Apr 09 '14 at 19:37
0

Just so it is clear:

-> # ldd /opt/gitlab/embedded/sbin/nginx
...
libssl.so.1.0.0 => /opt/gitlab/embedded/lib/libssl.so.1.0.0 (0x00007fe3cf8f9000)
libcrypto.so.1.0.0 => /opt/gitlab/embedded/lib/libcrypto.so.1.0.0 (0x00007fe3cf520000)
...

Gitlab omnibus uses its own bundled OpenSSL. apt-get update will not update and protect an install of gitlab omnibus.

jevinskie
  • 1
  • 1