Is PirateBox, LibraryBox & OFFLINEART affected from the Heartbleed Bug?

Posted by Matthias 
This forum is currently read only. You can not log in or make any changes. This is a temporary situation.
Now, this forum is in read-only mode. You find details Details hereContinue on /r/PirateBox
Is PirateBox, LibraryBox & OFFLINEART affected from the Heartbleed Bug?
April 14, 2014 07:44PM
Hi Community,
from the LibraryBox Project, I received the question how far the LibraryBox is affected from the Heartbeed bug. The member proved his question with a quote of the package dependencies showing up that the vulnerable openssl version is installed.


In which way is PirateBox affected by that bug:

Short answer is, yes and no.

The webserver, which we are using on PirateBox and forks is called lighttpd. This webserver has the package dependency to openssl. So the affected software package is installed. Due to the fact we are not using SSL, https connections on Port443- because I disabled it on the lighttpd's configuration- the the bug can not be used to leak data from our box.

I read on the OpenWRT-developement mailing list, that openssl may be statically linked on the firmware itself. I assume, that is the special case, when you have the original webinterface running. On the custom images, that webserver is not installed.
The included SSH server may be linked too, but in this scenario the function with the heartbleed-bug may is not active (It is only used in TLS encryption).
Anyway for updateing that, well you may reflash your box with a new firmware, which isn't published yet.


If you enabled https connections with a certificate, or do other things with the Box, I can't imagine right now, you maybe want to patch the obvious open door. I prepared a few things:

PirateBox 0.6 , OFFLINEART and LibraryBox 1.5
Download the new libopenssl version from the following url and upload it to your box with your upload tool smiling smiley (Or place it on the USB Stick while the 'box is offline)

http://stable.openwrt.piratebox.de/heartbleed/libopenssl_1.0.1g-1_ar71xx.ipk

After that, login in in to your box with telnet or ssh (depending, how you configured your box) and run the following command:

opkg install -d piratebox /mnt/usb/PirateBox/Shared/libopenssl_1.0.1g-1_ar71xx.ipk
(you may need to adjust the path depending on your upload-folder configuration. This above reflects the default)

PirateBox 1.0 and LibraryBox 2.0 -- AutoInstall image
For all who are using the auto-install version of the PirateBox or are running LibraryBox, the installation is quite comfortable:

* Download the openssl_fix zip file http://stable.openwrt.piratebox.de/heartbleed/install_libopenssl.zip
* Power your 'Box off and plug the USB into your computer
* Unzip the file and copy over the "install" folder to your USB Stick; Overwrite all files, if promted.
* Plugin the USB Stick to your 'box again and it power up. The box will boot, install the new file and then do a reboot.

After you did that procedure, the lib is updated.


PirateBox 1.0 without auto-install
Download the new libopenssl version from the following url and upload it to your box with your upload t
ool smiling smiley (Or place it on the USB Stick while the 'box is offline)

http://stable.openwrt.piratebox.de/heartbleed/libopenssl_1.0.1g-1_ar71xx.ipk

After that, login in in to your box with telnet or ssh (depending, how you configured your box) and run
the following command:

opkg install -d ext /mnt/usb/PirateBox/Shared/libopenssl_1.0.1g-1_ar71xx.ipk
(you may need to adjust the path depending on your upload-folder configuration. This above reflects the default)

LibraryBox 1.5
Due to the fact, that on LibraryBox the webserver is not installed and the package only uses a collection of Python-Scripts, the LibraryBox 1.5 is not affected (as far as I know).

regards Matthias


This is only my signature.



Edited 1 time(s). Last edit at 04/14/2014 07:53PM by Matthias.
Re: Is PirateBox, LibraryBox & OFFLINEART affected from the Heartbleed Bug?
April 14, 2014 07:50PM
Thanks to FreadZombie, I will release new image-files & auto-install zip within the next days, which directly contain the updated SSL file.
Re: Is PirateBox, LibraryBox & OFFLINEART affected from the Heartbleed Bug?
April 15, 2014 09:23PM
Thanks to FriedZombie, I updated the images on those two locations today

Language: PHP
http://beta.openwrt.piratebox.de/auto/ http://stable.openwrt.piratebox.de/ar71xx_AA_BB_0.1/