Last Updated: February 25, 2016
·
1.675K
· sairez

Fix heartbleed - Update debian openssl version with ansible

This playbook can be used to update Debian Wheezy to the latest openssl version that has patched the heartbleed vulnerability.

As is, this should work with ansible 1.5.x. The tasks that are commented out assume ansible 1.6 for the usage of the debconf module.

ansible-playbook -i inventory openssl.yml -k -K

openssl.yml:

---

- hosts: all
  user: ansible_user
  sudo: yes
  sudo_user: root
  tasks:
    - name: OpenSSL | Get current version
      shell: 'dpkg-query -W openssl'
      register: openssl_version

    - name: OpenSSL | Get current version
      shell: 'dpkg-query -W libssl1.0.0'
      register: libssl_version

    - name: OpenSSL | Confirm new version
      debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}"

    - name: OpenSSL | Apt | Install debconf-utils
      apt: pkg='debconf-utils' state='latest'

    - name: OpenSSL | Apt | Prevent restart services dialog
    # debconf: name='libssl1.0.0' question='libssl1.0.0/restart-services' vtype='string' value='ntp'
      shell: 'debconf-set-selections <<< "libssl1.0.0 libssl1.0.0/restart-services string ntp"'

    - name: OpenSSL | Apt | Prevent restart services dialog
    # debconf: name='libssl1.0.0:amd64' question='libssl1.0.0/restart-services' vtype='string' value='ntp'
      shell: 'debconf-set-selections <<< "libssl1.0.0:amd64 libssl1.0.0/restart-services string ntp"'

    - name: OpenSSL | Apt | Upgrade Openssl
      apt: pkg='{{item}}' state='latest' update_cache='yes' install_recommends='yes' force='yes'
      with_items:
        - 'openssl'
        - 'libssl1.0.0'

    - name: OpenSSL | Get new version
      shell: 'dpkg-query -W openssl'
      register: openssl_version

    - name: OpenSSL | Get new version
      shell: 'dpkg-query -W libssl1.0.0'
      register: libssl_version

    - name: OpenSSL | Confirm new version
      debug: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}"