First of all: this is a re-post of an article from another blog, I do not want to take someone else credit! You can find original post HERE 😉
Many thanks to its author, you save lot of my time!
Just want to share it since it was really useful in fixing a bunch of servers at once, so you can use “my” solution or simply go to the original post and check another alternatives.
Basic idea is to use Ansible to update OpenSSL on all you server and restart all impacted services.
Simple and effective! Find the original script here: https://github.com/jdauphant/patch-openssl-CVE-2014-0160/blob/master/patch-openssl-CVE-2014-0160.yml
My only addition are sudo and remote_user siche my playbook set expect them into the playbook itself:
--- - hosts: all remote_user: my_sudo_user sudo: True vars: openssl_packages: ["openssl","libssl1.0.0"] openssl_impacted_service: - nginx - apache2 - postgresql - php5-fpm - openvpn - postfix - monit - zabbix-server tasks: - name: ensure openssl is the last version apt: pkg={{item}} state=latest update_cache=yes register: openssl_updated with_items: openssl_packages when: ansible_os_family == "Debian" - name: check if service need to be restarted shell: "lsof -n | grep 'DEL.*libssl.so'" register: result_check failed_when: result_check.rc > 1 changed_when: result_check.rc != 1 always_run: yes - name: test running services command: "service {{item}} status | grep -i running" register: services_status with_items: openssl_impacted_service when: result_check.rc == 0 or openssl_updated.changed ignore_errors: true always_run: yes - name: restart running service service: name={{item.item}} state=restarted with_items: services_status.results when: (result_check.rc == 0 or openssl_updated.changed ) and item.rc == 0 - name: ensure no more service need to be restarted shell: "lsof -n | grep 'DEL.*libssl.so'" register: result failed_when: result.rc == 0 changed_when: result.rc != 1 always_run: yes
Around the Code 