1

I am running a Ubuntu 12.04 server and I just updated the server with (and rebooted afterwards)

sudo apt-get dist-upgrade

Now the open SSL version sais, it is build on 7 Apr 2014 what is good, but the version seems to be 1.0.1e, which is vulnerable. So what is correct, the date or the version information?

jan
  • 129
  • 9

3 Answers3

2

Ubuntu backported the fix to 1.0.1e rather than switching to the new version. See zless /usr/share/doc/openssl/changelog.Debian.gz for details.

However, you have to restart affected services (that loaded the old version at startup) as well or they will remain vulnerable.

Håkan Lindqvist
  • 36,421
0
$ sudo apt-get changelog openssl | grep CVE-2014-0160
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
    - CVE-2014-0160

This will show you if you have a patched version.

Florin Asăvoaie
  • 7,267
0

Upgrading OPENSSL is ___FAR___ from being enough.

I recommend you at least but I'm not exhaustive :

  • upgrade OPENSSL to a safe version like you did
  • make you rusers change all their passwords, they may have been compromised
  • change all your ssl certificates.

More detailed answers can be found here : Heartbleed: What is it and what are options to mitigate it? To check if your version of OPENSSL is not vulnerable on any debian based distribution, you can do the following :

apt-get update && apt-get install openssl

If you obtain 

openssl is already the newest version.
then you are not vulnerable. All major linux and BSD distributions have included a safe version of openssl really quickly.

As of today, here is the expected output :

# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Thu Apr 17 20:54:07 UTC 2014
Community
  • 1