With all the news about the Heartbleed vulnerability in the OpenSSL package lately I figured that I should make sure my servers were patched. In looking at the version I have installed it seemed I was indeed running one of the affected versions.
$ openssl version
OpenSSL 1.0.1 14 Mar 2012
I was concerned and confused because I was sure that I had made all the recent security updates which I did confirm with:
# apt-get dist-upgrade
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
So I needed to understand how I could be running all the latest updates but still have version of a package that was in the range of known impacted versions. This led me to some “apt” tools I was not previously aware of.
# apt-get changelog openssl
openssl (1.0.1-4ubuntu5.12) precise-security; urgency=medium
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
– debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
– debian/patches/CVE-2014-0160.patch: use correct lengths in
— Marc Deslauriers
Mon, 07 Apr 2014 15:45:14 -0400
You can see above in the output of “apt-get changelog openssl”, the comment in bold shows that OpenSSL on my system has indeed been patched. I always love it when I learn something new and useful about how the Debian system works.
Sigma 85mm 1.4 EX GD HSM
Cascade Bicycle Trainer
Kettle Bell Training
Camel Bak "Mule"
Google Two Factor Authentication
Jamis XCR Pro 2010
Garmin Edge 500
Pink at the Grammys 2010
The Flaming Lips
Custom Built PC
Omega Seamaster Ocean XL
Northern Tool Workbench Kit
Efficiently Using Irssi and Screen
Lenovo X201s + Precise
Galaxy S4 on T-Moblie
2009 Chevy Tahoe