Does Ubuntu 12.04LTS have the OpenSSL heartbleed fix?

Question

Only OpenSSL 1.0.1f or later has the fix for the heartbleed exploit. So does Ubuntu 12.04LTS have the fix? We need to use 12.04LTS for reasons I won't go into, and we can't upgrade.

According to this page, it uses OpenSSL "1.0.1" (with no letter at the end of the version number): http://packages.ubuntu.com/precise/libssl-dev

It has this file link on the right hand side... [openssl_1.0.1.orig.tar.gz]

Can that .orig file tell us anything?

Does anyone know if there was actually a "1.0.1" release of OpenSSL, or if someone just chopped off the letter?

Answer 1

The actual version of affected OpenSSL version in Ubuntu 12.04LTS is 1.0.1-4ubuntu5.11 and current version is 1.0.1-4ubuntu5.21 (the number at the end matters here). It's been patched a few times since and should not be affected by heartbleed bug.

Here's a link from which you can see affected version numbers in different distributions: http://heartbleed.com/

Just in case here's also changelog for OpenSSL in Ubuntu 12.04LTS: http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.21/changelog

Fix for heartbleed is mentioned for 1.0.1-4ubuntu5.12 so couple of versions back.

Answer 2

A way to know this is to have a look at the Ubuntu Security Notices (USN) which are released each time a vulnerability is fixed in Ubuntu. In such case, the release of the package in which it is fixed is written.

For instance, for heartbleed, the USN was the USN-2165-1 (http://www.ubuntu.com/usn/usn-2165-1/) which states that it has been fixed in 1.0.1-4ubuntu5.12 for Ubuntu 12.04LTS.

It is possible to subscribe to such USN by emails, thanks to the ubuntu-security-announce mailing-list: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Cheers,