Heartbleed, Ubuntu 12.04 and some Java HTTP Client is a bad combo

Oh my, after having discovered that my employer was vulnerable to the heartbleed bug I quickly ran apt-get update and apt-get upgrade on some Ubuntu 12.04 systems. Problem solved… not so fast, suddenly a lot of services communicating with us stopped understanding what we were returning over SSL.

For some reason upgrading to a higher OpenSSL version was not liked by some Java HTTP Client a lot of people are using. What to do? In the end I ended up moving everything over to 10.04, it is running a version of OpenSSL not vulnerable to heartbleed that at the same time makes sense to our partners’ Java code. In effect they are forcing us to use old software through their own use of old software, lovely.

All good then. No. As it happens we’ve just bought a couple of Dell r820 machines that we’re going to migrate to and they don’t support 10.04. Damn…

So here is the rundown on how to install old Apache and PHP module packages from Lucid in Precise, a selective downgrade of parts of the system:

1.) Add the below to your /etc/apt/sources.list and run apt-get update (replace gb with what’s closest to you of course):

deb http://gb.archive.ubuntu.com/ubuntu/ lucid main restricted
deb-src http://gb.archive.ubuntu.com/ubuntu/ lucid main restricted
deb http://gb.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
deb-src http://gb.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
deb http://gb.archive.ubuntu.com/ubuntu/ lucid universe
deb http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted

2.) Purge everything completely if you’re not installing from scratch:

sudo apt-get remove --purge phpmyadmin apache2-mpm-prefork libapache2-mod-php5 apache2.2-common php5-common

3.) Running apt-cache policy package on the following packages gave me the complete version numbers that I use in the next steps:

apache2-mpm-prefork
phpmyadmin
libapache2-mod-php5
apache2.2-common
apache2.2-bin
php5-common
php5-cli
php5-mysql
php5-mcrypt
php5-pdo
php5-gd

4.) I installed Apache first but it’s probably possible to just run everything in one go:

apt-get install apache2-mpm-prefork=2.2.14-5ubuntu8.13 apache2.2-common=2.2.14-5ubuntu8.13 apache2.2-bin=2.2.14-5ubuntu8.13

5.) And then the rest:

apt-get install libapache2-mod-php5=5.3.2-1ubuntu4.24 php5-common=5.3.2-1ubuntu4.24 phpmyadmin=4:3.3.2-1 php5-cli=5.3.2-1ubuntu4.24 php5-mysql=5.3.2-1ubuntu4.24 php5-curl=5.3.2-1ubuntu4.24 php5-mcrypt=5.3.2-0ubuntu1 php5-gd=5.3.2-1ubuntu4.24

That seems to work and you might want to pin everything down so you don’t get screwed if you run an apt-get upgrade at some point.

Related Posts

Tags: ,