Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: The OpenSSL Heartbleed Bug Strikes The Internet

  1. #1
    Join Date
    Jan 2007
    Posts
    15,419

    Default The OpenSSL Heartbleed Bug Strikes The Internet

    Phoronix: The OpenSSL Heartbleed Bug Strikes The Internet

    As many Phoronix readers have already reported in, a very serious OpenSSL security vulnerability was discovered that allows for attackers to read memory in 64k memory chunks. A very serious bug in OpenSSL 1.0.1/1.0.2-beta is leaking information since the bug's introduction in 2011...

    http://www.phoronix.com/vr.php?view=MTY1ODE

  2. #2
    Join Date
    Oct 2012
    Location
    Sweden
    Posts
    373

    Default

    A lot of fanboys told us to use OpenSSL when a vulnerability in GnuTLS was found. I hope this shut them up. Software is never perfect.

  3. #3
    Join Date
    Nov 2008
    Location
    Madison, WI, USA
    Posts
    881

    Default

    Regardless of what happened in the GnuTLS thread, this is bad news. I've already updated my work machine, but this is going to impact a lot of businesses/sites/certificates and also users. I suspect I'm in for another round of full password changes.

  4. #4
    Join Date
    Oct 2009
    Location
    Brisbane, Queensland, Australia
    Posts
    154

    Default

    Updates which address this security vulnerability are now available in the Ubuntu repositories for all supported versions of Ubuntu.

  5. #5
    Join Date
    Jul 2013
    Posts
    75

    Default

    Quote Originally Posted by madbiologist View Post
    Updates which address this security vulnerability are now available in the Ubuntu repositories for all supported versions of Ubuntu.
    people said ubuntu delivered the patch and indeed last night my mint 16 installation received an openssl update. however when i type: openssl version -a . I get


    OpenSSL 1.0.1e 11 Feb 2013
    built on: Mon Apr 7 20:33:19 UTC 2014
    platform: debian-amd64

    ^

    My laptop is also running mint 14 and gets

    something similar but the version is 1.0.1c

    Im getting the feeling that 1.0.1g is the patched version ?

    So I tried manually adding the g version but the make file didn't work properly. Is there a PPA for this to get the latest version ?

    Thanks

  6. #6
    Join Date
    Apr 2008
    Posts
    182

    Default

    Quote Originally Posted by phill1978 View Post
    OpenSSL 1.0.1e 11 Feb 2013
    built on: Mon Apr 7 20:33:19 UTC 2014
    {...}
    something similar but the version is 1.0.1c
    {...}
    Im getting the feeling that 1.0.1g is the patched version ?
    - 1.0.1g is the official OpenSSL version which doesn't have the vulnerability.

    What Debian, Ubuntu, Mint, and many other distribution are providing you, is an update of openssl, still the exact same version as before (so no change from whatever was there before to 1.0.1g, and thus no incompatibility problems due to changing versions) but with a patch against "heartbleed" applied in.

    Hence the version string you're getting: this 1.0.1e version was compiled just a few hours ago, with probably the patch applied.
    (More information, see the Security Update page from your distribution. For example for Debian and openSUSE. I'm sure your Ubuntu and Mint should have similar sources of information.)

  7. #7
    Join Date
    Jul 2013
    Posts
    75

    Default

    Quote Originally Posted by DrYak View Post
    - 1.0.1g is the official OpenSSL version which doesn't have the vulnerability.

    What Debian, Ubuntu, Mint, and many other distribution are providing you, is an update of openssl, still the exact same version as before (so no change from whatever was there before to 1.0.1g, and thus no incompatibility problems due to changing versions) but with a patch against "heartbleed" applied in.

    Hence the version string you're getting: this 1.0.1e version was compiled just a few hours ago, with probably the patch applied.
    (More information, see the Security Update page from your distribution. For example for Debian and openSUSE. I'm sure your Ubuntu and Mint should have similar sources of information.)
    thanks for the reply

  8. #8
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,283

    Default

    Joke's on you, I'm still on 0.9.8. Ha!

  9. #9
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    528

    Default

    Quote Originally Posted by curaga View Post
    Joke's on you, I'm still on 0.9.8. Ha!
    But not the services you were using, so...

  10. #10
    Join Date
    Nov 2008
    Location
    Madison, WI, USA
    Posts
    881

    Default

    Quote Originally Posted by phill1978 View Post
    people said ubuntu delivered the patch and indeed last night my mint 16 installation received an openssl update. however when i type: openssl version -a . I get


    OpenSSL 1.0.1e 11 Feb 2013
    built on: Mon Apr 7 20:33:19 UTC 2014
    platform: debian-amd64

    ^

    My laptop is also running mint 14 and gets

    something similar but the version is 1.0.1c

    Im getting the feeling that 1.0.1g is the patched version ?

    So I tried manually adding the g version but the make file didn't work properly. Is there a PPA for this to get the latest version ?

    Thanks
    There is also a workaround for the affected versions. Recompile with "-DOPENSSL_NO_HEARTBEATS" as a compile time option. It's possible that the Ubuntu patched version just recompiled with that feature disabled (which is what redhat/centos have done with version 1.0.1e)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •