Corrigir heartbleed – Atualizar versão debian openssl com ansible

Este manual pode ser usado para atualizar o Debian Wheezy para a versão mais recente do openssl que corrigiu a vulnerabilidade heartbleed.

Como está, isso deve funcionar com ansible 1.5.x. As tarefas comentadas assumem a ansible 1.6 para o uso do módulo debconf.

ansible-playbook -i inventário openssl.yml -k -K

openssl.yml:

---

- hosts: all
user
: ansible_user
sudo
: yes
sudo_user
: root
tasks
:
- name: OpenSSL | Get current version
shell
: 'dpkg-query -W openssl'
register: openssl_version

- name: OpenSSL | Get current version
shell
: 'dpkg-query -W libssl1.0.0'
register: libssl_version

- name: OpenSSL | Confirm new version
debug
: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}"

- name: OpenSSL | Apt | Install debconf-utils
apt
: pkg='debconf-utils' state='latest'

- name: OpenSSL | Apt | Prevent restart services dialog
# debconf: name='libssl1.0.0' question='libssl1.0.0/restart-services' vtype='string' value='ntp'
shell
: 'debconf-set-selections <<< "libssl1.0.0 libssl1.0.0/restart-services string ntp"'

- name: OpenSSL | Apt | Prevent restart services dialog
# debconf: name='libssl1.0.0:amd64' question='libssl1.0.0/restart-services' vtype='string' value='ntp'
shell
: 'debconf-set-selections <<< "libssl1.0.0:amd64 libssl1.0.0/restart-services string ntp"'

- name: OpenSSL | Apt | Upgrade Openssl
apt
: pkg='{{item}}' state='latest' update_cache='yes' install_recommends='yes' force='yes'
with_items
:
- 'openssl'
- 'libssl1.0.0'

- name: OpenSSL | Get new version
shell
: 'dpkg-query -W openssl'
register: openssl_version

- name: OpenSSL | Get new version
shell
: 'dpkg-query -W libssl1.0.0'
register: libssl_version

- name: OpenSSL | Confirm new version
debug
: msg="OpenSSL version installed is {{openssl_version.stdout}}, libssl version installed is {{libssl_version.stdout}}"