In a hurry? See my question under the --------------- line.
I follow Falko Timme's Twitter feed and am glad I do, even thought I'm an end user of Ubuntu. Today, Mr. Timme warned of an attack vector to #Openssl #Heartbleed #vulnerability. timme server.png
I opened the link "How To Find Out If Your Server Is Affected"
and, even though I cannot recall ever installing something named: OpenSSL, I was surprised to see that this package is installed on my home desktop box, which I, AFAIK, does NOT serve anything whatsoever.
To be safe, I ran:
and then had a look at the version:Code:sudo update sudo upgrade
Code:openssl versionAs Mr. Timme's SourceForge page specified "your server might be vulnerable as the version is below 1.0.1g. " And I cannot understand what package I have installed as the return from dpkg shows only 4ubuntu5 and not the alphabet revision, I'm frankly worried my computer may be vulnerable.Code:mark@Lexington:~$ dpkg-query -l 'openssl' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii openssl 1.0.1-4ubuntu5 Secure Socket Layer (SSL) binary and related
I have also read these relevant pages to this attack vector:
USN-2165-1: OpenSSL vulnerabilities
Upgrades
I don't want to upgrade from Ubuntu Ver. 12.04LTS (Precise Pangolin) until the whole Ubuntu community does. (I'm a computer follower, not leader), so:
-------------------------------------------------
What package of Openssl is installed on my computer? Is it a package that is vulnerable? It if is vulnerable is there a fix other than upgrading from 12.04?
Bookmarks