Results 1 to 6 of 6

Thread: OpenSSL Server Heartbeat or Heartbleed vulnerability

  1. #1
    Join Date
    Mar 2006
    Location
    Rumplestiltskin, Cal.
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    OpenSSL Server Heartbeat or Heartbleed vulnerability

    In a hurry? See my question under the --------------- line.

    I follow Falko Timme's Twitter feed and am glad I do, even thought I'm an end user of Ubuntu. Today, Mr. Timme warned of an attack vector to #Openssl #Heartbleed #vulnerability. timme server.png

    I opened the link "How To Find Out If Your Server Is Affected"

    and, even though I cannot recall ever installing something named: OpenSSL, I was surprised to see that this package is installed on my home desktop box, which I, AFAIK, does NOT serve anything whatsoever.

    To be safe, I ran:

    Code:
    sudo update
    sudo upgrade
    and then had a look at the version:

    Code:
    openssl version
    Code:
    mark@Lexington:~$ dpkg-query -l 'openssl'
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name           Version        Description
    +++-==============-==============-============================================
    ii  openssl        1.0.1-4ubuntu5 Secure Socket Layer (SSL) binary and related
    As Mr. Timme's SourceForge page specified "your server might be vulnerable as the version is below 1.0.1g. " And I cannot understand what package I have installed as the return from dpkg shows only 4ubuntu5 and not the alphabet revision, I'm frankly worried my computer may be vulnerable.

    I have also read these relevant pages to this attack vector:

    USN-2165-1: OpenSSL vulnerabilities

    Upgrades

    I don't want to upgrade from Ubuntu Ver. 12.04LTS (Precise Pangolin) until the whole Ubuntu community does. (I'm a computer follower, not leader), so:

    -------------------------------------------------

    What package of Openssl is installed on my computer? Is it a package that is vulnerable? It if is vulnerable is there a fix other than upgrading from 12.04?
    AMD Athlon II X4 620, 4gig ddr2-800, m/b MSI K9N6PGM2, 1T SATA, EVGA 9500GT, Brother MFC-240C prntr, LG DVD-rom GSA-H55N

  2. #2
    Join Date
    Apr 2005
    Location
    EU - UK
    Beans
    3,352
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: OpenSSL Server Heartbeat or Heartbleed vulnerability

    If you have already read the usn, why are you worried about that? If you have already installed the update you are fine. Upgrades in this case mean package upgrades, not distribution upgrades.

    Thus, your system is not vulnerable anymore, as the usn says, all the supported packages have been patched already. To make sure try giving
    Code:
    openssl version -a
    and check the build date.

    Obviously you are fine and you don't need to upgrade to a newer ubuntu version.

  3. #3
    Join Date
    Mar 2006
    Location
    Rumplestiltskin, Cal.
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: OpenSSL Server Heartbeat or Heartbleed vulnerability

    mark@Lexington:~$ openssl version -a
    OpenSSL 1.0.1 14 Mar 2012
    built on: Mon Apr 7 20:33:29 UTC 2014

    Case Closed. Thanks.
    AMD Athlon II X4 620, 4gig ddr2-800, m/b MSI K9N6PGM2, 1T SATA, EVGA 9500GT, Brother MFC-240C prntr, LG DVD-rom GSA-H55N

  4. #4
    Join Date
    Jan 2014
    Beans
    20

    Re: OpenSSL Server Heartbeat or Heartbleed vulnerability

    I'm confused about this being solved because I just tried to update my openssl, and it failed to update to the patched version:
    - What should we users do immediately about the heartbleed heartbeet openssl saucy flaw

  5. #5
    Join Date
    Apr 2014
    Beans
    1

    Re: OpenSSL Server Heartbeat or Heartbleed vulnerability

    Thanks. working fine

  6. #6
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,344
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: OpenSSL Server Heartbeat or Heartbleed vulnerability

    Quote Originally Posted by Damico View Post
    I'm confused about this being solved because I just tried to update my openssl, and it failed to update to the patched version:
    - What should we users do immediately about the heartbleed heartbeet openssl saucy flaw
    Only currently supported versions of Ubuntu will be upgraded. That includes 10.04 Server, 12.04 LTS, 13.10, and 14.04 LTS. Any releases before 13.10 other than 10.04 Server are no longer supported. That's why most people should be using an LTS version.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •