1

I am running a Ubuntu 12.04 server and I just updated the server with (and rebooted afterwards)

sudo apt-get dist-upgrade

Now the open SSL version sais, it is build on 7 Apr 2014 what is good, but the version seems to be 1.0.1e, which is vulnerable. So what is correct, the date or the version information?

jan
  • 129
  • 9

3 Answers3

2

Ubuntu backported the fix to 1.0.1e rather than switching to the new version. See zless /usr/share/doc/openssl/changelog.Debian.gz for details.

However, you have to restart affected services (that loaded the old version at startup) as well or they will remain vulnerable.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
0
$ sudo apt-get changelog openssl | grep CVE-2014-0160
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
    - CVE-2014-0160

This will show you if you have a patched version.

Florin Asăvoaie
  • 6,932
  • 22
  • 35
0

Upgrading OPENSSL is ___FAR___ from being enough.

I recommend you at least but I'm not exhaustive :

  • upgrade OPENSSL to a safe version like you did
  • make you rusers change all their passwords, they may have been compromised
  • change all your ssl certificates.

More detailed answers can be found here : Heartbleed: What is it and what are options to mitigate it? To check if your version of OPENSSL is not vulnerable on any debian based distribution, you can do the following :

apt-get update && apt-get install openssl

If you obtain 

openssl is already the newest version.
then you are not vulnerable. All major linux and BSD distributions have included a safe version of openssl really quickly.

As of today, here is the expected output :

# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Thu Apr 17 20:54:07 UTC 2014
Community
  • 1
  • Except the case where you have a local mirror (like in a company or something) that doesn't have an updated version or something like that. It is FAR better to check if you are actually patched than relying on having "the latest version". Also, the question was just "how do I check if I have a vulnerable version?" and not "how to react on the heartbleed vulnerability". I think it is a rather bad answer. – Florin Asăvoaie Apr 18 '14 at 11:21
  • I've never heard of any system administrator having a local apt mirror without knowing it. But if you go that way, I'd say you really should check source code in your favorite distro repository and look at what your favorite package maintainer has committed in source tree. Feel free to edit my answer or yours –  Apr 18 '14 at 11:32
  • Also see http://serverfault.com/questions/587324/heartbleed-how-to-reliably-and-portably-check-the-openssl-version –  Apr 18 '14 at 11:42