Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: OpenSSL version Issue

  1. #1
    Join Date
    May 2013
    Location
    Paris, France
    Beans
    172
    Distro
    Ubuntu Gnome 16.04 Xenial Xerus

    OpenSSL version Issue

    Hello guys,

    You must have heard about the so called "heartbleed" problem all over the internet. This issue has been affecting Ubuntu 13.10 as well.

    I have noticed that OpenSSL and libssl have been updated to release 1.0.1e. When you take a look at the latest release on the official site, it's 1.0.1g: http://www.openssl.org/news/

    Can this discrepancy be fixed on the official repository or do we have to manually compile the sources?

  2. #2
    Join Date
    Nov 2011
    Beans
    2,336
    Distro
    Ubuntu

    Re: OpenSSL version Issue

    For 13.10, 'e' has been patched. If you've updated, you have it. See: http://www.ubuntu.com/usn/usn-2165-1/.

  3. #3
    Join Date
    May 2013
    Location
    Paris, France
    Beans
    172
    Distro
    Ubuntu Gnome 16.04 Xenial Xerus

    Re: OpenSSL version Issue

    If you take a careful look at the link I've posted, the "e" version ha&s been uploaded weeks before the "Heartbeat overflow issue" was discovered... Woops!

    I suspect the "e" release does not include patches for this issue.

  4. #4
    Join Date
    Nov 2011
    Beans
    2,336
    Distro
    Ubuntu

    Re: OpenSSL version Issue

    Quote Originally Posted by actionmystique View Post
    If you take a careful look at the link I've posted, the "e" version ha&s been uploaded weeks before the "Heartbeat overflow issue" was discovered... Woops!

    I suspect the "e" release does not include patches for this issue.
    Then you think Ubuntu's security notice lied? You can follow the links in that notice and read the patch yourself.

  5. #5
    Join Date
    May 2013
    Location
    Paris, France
    Beans
    172
    Distro
    Ubuntu Gnome 16.04 Xenial Xerus

    Re: OpenSSL version Issue

    They must have overlooked the last OpenSSL sources; otherwise, they would have mapped their package version to the original sources release number.

  6. #6
    Join Date
    May 2013
    Location
    Paris, France
    Beans
    172
    Distro
    Ubuntu Gnome 16.04 Xenial Xerus

    Re: OpenSSL version Issue

    I've asked the same question in their launchpad forum; let's wait and see their answer.

  7. #7
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 17.04 Zesty Zapus

    Re: OpenSSL version Issue

    Ubuntu 16.04 Desktop Guide - Ubuntu 14.04 Desktop Guide - Forum Guide to BBCode - Using BBCode code tags - IRC #ubuntuforums

    Member: Not Canonical Team

    Please do not PM me about your forum account unless you have been asked to. The correct place to contact an admin about your account is here.

  8. #8
    Join Date
    May 2013
    Location
    Paris, France
    Beans
    172
    Distro
    Ubuntu Gnome 16.04 Xenial Xerus

    Re: OpenSSL version Issue

    @coffeecat: Thanks for the link; now I'm sure that my up-to-date Ubuntu 13.10 has NOT been patched with the latest OpenSSL 1.0.1g patch of April 7th:

    Ubuntu 13.10 OpenSSL version.jpg
    https://docs.google.com/document/d/1...it?usp=sharing

    Build date and version are 2 separate things!

    Someone took the 1.0.1e OpenSSL sources that were uploaded on the official site on the 11th of February and compiled them.

    Wake up call!

  9. #9
    Join Date
    Nov 2011
    Beans
    2,336
    Distro
    Ubuntu

    Re: OpenSSL version Issue

    Have you updated?

    The package for 13.10 in the repo (http://packages.ubuntu.com/saucy/openssl) is tagged 1.0.1e-3ubuntu1.2 and the changelog (http://changelogs.ubuntu.com/changel...u1.2/changelog) shows the patch was applied on 7 April.

    The previous version for Saucy was 1.0.1e-3ubuntu1.1.

    Here on 14.04, openssl is tagged 1.0.1f-1ubuntu2 and the changelog shows the same patch was applied on the same day.

    Distributions do not necessarily adhere to upstream numbering conventions.

  10. #10
    Join Date
    May 2013
    Location
    Paris, France
    Beans
    172
    Distro
    Ubuntu Gnome 16.04 Xenial Xerus

    Re: OpenSSL version Issue

    You cannot say that you've not been warned.
    It's up to you to stick with the old OpenSSL release.
    I'm going to build the last 1.0.1g on my system from the sources.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •