Gee! These Aren't Roasted!
Hello guys,
You must have heard about the so called "heartbleed" problem all over the internet. This issue has been affecting Ubuntu 13.10 as well.
I have noticed that OpenSSL and libssl have been updated to release 1.0.1e. When you take a look at the latest release on the official site, it's 1.0.1g: http://www.openssl.org/news/
Can this discrepancy be fixed on the official repository or do we have to manually compile the sources?
Ubuntu addict and loving it
For 13.10, 'e' has been patched. If you've updated, you have it. See: http://www.ubuntu.com/usn/usn-2165-1/.
Gee! These Aren't Roasted!
If you take a careful look at the link I've posted, the "e" version ha&s been uploaded weeks before the "Heartbeat overflow issue" was discovered... Woops!
I suspect the "e" release does not include patches for this issue.
Ubuntu addict and loving it
Then you think Ubuntu's security notice lied? You can follow the links in that notice and read the patch yourself.Originally Posted by actionmystique
Gee! These Aren't Roasted!
I've asked the same question in their launchpad forum; let's wait and see their answer.
Gee! These Aren't Roasted!
They must have overlooked the last OpenSSL sources; otherwise, they would have mapped their package version to the original sources release number.
Ultimate Coffee Grinder
Ubuntu 20.04 Desktop Guide - Ubuntu 22.04 Desktop Guide - Forum Guide to BBCode - Using BBCode code tags
Member: Not Canonical Team
If you need help with your forum account, such as SSO login issues, username changes, etc, the correct place to contact an admin is here. Please do not PM me about these matters unless you have been asked to - unsolicited PMs concerning forum accounts will be ignored.
Gee! These Aren't Roasted!
@coffeecat: Thanks for the link; now I'm sure that my up-to-date Ubuntu 13.10 has NOT been patched with the latest OpenSSL 1.0.1g patch of April 7th:
Ubuntu 13.10 OpenSSL version.jpg
https://docs.google.com/document/d/1...it?usp=sharing
Build date and version are 2 separate things!
Someone took the 1.0.1e OpenSSL sources that were uploaded on the official site on the 11th of February and compiled them.
Wake up call!
Ubuntu addict and loving it
Have you updated?
The package for 13.10 in the repo (http://packages.ubuntu.com/saucy/openssl) is tagged 1.0.1e-3ubuntu1.2 and the changelog (http://changelogs.ubuntu.com/changel...u1.2/changelog) shows the patch was applied on 7 April.
The previous version for Saucy was 1.0.1e-3ubuntu1.1.
Here on 14.04, openssl is tagged 1.0.1f-1ubuntu2 and the changelog shows the same patch was applied on the same day.
Distributions do not necessarily adhere to upstream numbering conventions.
I'm back baby.
^^^ this.
If you believe everything you read, you better not read. ~ Japanese Proverb
If you don't read the newspaper, you're uninformed. If you read the newspaper, you're mis-informed. - Mark Twain
Thinking about becoming an Ubuntu Member?
Posting Permissions
Adv Reply
Bookmarks