The OpenSSL Heartbleed bug: UPDATE NOW!

The OpenSSL "Heartbleed Bug (CVE-2014-0160)" (see https://www.openssl.org/news/secadv_20140407.txt), as it is being called, is a serious security hole in the Secure Sockel Layer (SSL) used for sending private documents over the internet. This bug is fixed for Allegro CL by our recent SSL module update. This update affects Windows and UNIX ports of Allegro CL and AllegroGraph.

Some background: the ACL SSL module has some glue code that sits between the OpenSSL library and Allegro CL (and any app that is built upon Allegro CL, including AllegroGraph). On UNIX, this glue code statically links with the OpenSSL libraries. On Windows, we dynamically link to the installed OpenSSL libraries on the system.

For Windows, you can update your OpenSSL by following the instructions here:

http://franz.com/ftp/pub/openssl/windows/readme.txt

For UNIX systems, including Mac OS and Linux, you need to update your Allegro CL with sys:update-allegro. The only files updated are the ACL SSL shared library. They are named:

  aclssl.$ext      for mlisp8 and alisp8
  aclissl.$ext     for mlisp and alisp

where $ext is the platform-specific shared library extension: so (thus aclissi.so etc.) on Linux, AIX, FreeBSD and Solaris; and dylib (thus aclissi.dylib etc.) on Mac OS. (As noted above, Windows platforms are updated in a different way.)

If you've built an application which uses the SSL module, then you need to:

  1. Replace the aclssl or aclissl shared library in the application's installation directory.
  2. Restart your application.

Step #2 is critical, since you won't use the fixed OpenSSL unless you restart.

You can test your service, if it is public, with the following websites:

AllegroGraph Servers

AllegroGraph maintenance release, version 4.13.2, is available for download. This release contains the Heartbleed bug fix. We recommend users download this new release. If for any reason you are unable to download and use version 4.13.2, follow the instructions below for applying to Heartbleed fix to your pre-4.13.2 AllegroGraph version.

Here are the specific steps to fix AllegroGraph servers:

  1. Download the following to your local machine running AllegroGraph:
       http://franz.com/ftp/pub/patches/8.2/linuxamd64.64/aclissl.so
    
  2. Find where AllegroGraph is installed and replace the file of the same name in that installation directory with the one downloaded in step #1.
  3. Restart the AllegroGraph server. That is, stop it with (AG directory is the directory where AllegroGraph is installed):
    [AC directory]/bin/agraph-control --config [AG directory]/lib/agraph.cfg stop 
    

    and restart it with

    [AG directory]/bin/agraph-control --config [AG directory]/lib/agraph.cfg start
    

Most AllegroGraph clients (AGWebview, etc.) run on with non-Allegro CL software, which should be updated independently and the client restarted when the AllegroGraph server is restarted. If you are using the Lisp client, update Allegro CL as described above and then restart Allegro CL and connect it to the AllegroGraph server.

Copyright © 2023 Franz Inc., All Rights Reserved | Privacy Statement Twitter