First Cup of Ubuntu
Hi,
There's a new serious openssl security issue, affecting openssl 1.0.1 and 1.0.2-beta releases (including the one shipped with 13.10).
Is there an apt repo available with 1.0.1g or 1.0.2-beta1 ? These versions resolve the issue.
See also:
http://www.openssl.org/news/secadv_20140407.txt
https://news.ycombinator.com/item?id=7548468
http://heartbleed.com/
regards,
Mike
What are you planning?
Already fixed:
http://askubuntu.com/questions/44470...160-in-openssl
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
0-8-4
Don't waste your energy trying to change opinions ... Do your thing, and don't care if they like it.
Caffeine Fueled
I always check the Ubuntu Security Notices page, to see if a security problem has been resolved.
Just Give Me the Beans!
So I am guessing NO, but curious to ask. Does / did this effect OpenSSH in anyway? Any fault in a common library, etc.
What are you planning?
I don't think openssl was used for openssh. There was a previous update for openssh a few days ago, but it wasn't related to this vulnerability.
Here's the changelog from one of my Debian boxes, Ubuntu should have similar:
--- Changes for openssh (openssh-client openssh-server ssh) ---
openssh (1:6.0p1-4+deb7u1) stable-security; urgency=high
* CVE-2014-2532: Disallow invalid characters in environment variable names
to prevent bypassing AcceptEnv wildcard restrictions.
* CVE-2014-2653: Attempt SSHFP lookup even if server presents a
certificate (closes: #742513).
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
First Cup of Ubuntu
I'm on Ubuntu 11.10 server. According to what I read, the vulnerability only effects Ubuntu 12+. My openSSl version is 1.0.0e, so it's older than what is effected, however there are other vulnerabilities, so I feel like I should upgrade to the latest. Is it possible?
I did:
sudo apt-get update
sudo apt-get upgrade
and after I still have OpenSSL 1.0.0e
*Should* I be trying to upgrade this, or is 1.0.0e safe?
*Can* I upgrade 11.10 to the current OpenSSL, or would that require upgrading the whole enchilada to Ubuntu 14?
What are you planning?
11.10 is End of Life. It would be a good idea to upgrade to 12.04 at the very least.
https://wiki.ubuntu.com/Releases
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
First Cup of Ubuntu
Yes I realize that.
First Cup of Ubuntu
So then I take it the answer to both questions is No?
Posting Permissions
Adv Reply
Bookmarks