[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can't patch Heartbleed bug?

On 2014-04-10 15:49, Lisi Reisz wrote:

On Thursday 10 April 2014 14:18:00 Brad Alexander wrote:

I don't believe that Wheezy was vulnerable to Heartbleed. It was
only the 1.0.1f (committed 31 Dec 2011) that incorporated the
vulnerable heartbeat feature. My wheezy box has 1.0.1e:

ii  libssl1.0.0:i386                     1.0.1e-2+deb7u6
i386         SSL shared libraries
ii  openssl                              1.0.1e-2+deb7u6
i386         Secure Socket Layer (SSL) binary and related
cryptographic tools


I have:

lisi@Tux-II:~$ dpkg-query -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name             Version       Architecture  Description
+++-================-=============-=============-===============================
ii  openssl          1.0.1e-2+deb7 amd64         Secure Socket Layer
(SSL) binar
lisi@Tux-II:~$

No u-anything.  I take it that that is still alright since it is
anyway Wheezy?

Lisi


https://www.debian.org/security/2014/dsa-2896
"For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5." 

means wheezy was also vulnerable

root@swotrs:~# dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend 
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description 
+++-=========================-=================-=================-========================================================
ii openssl 1.0.1e-2+deb7u6 amd64 Secure Socket Layer (SSL) binary and related cryptograph 

is the good version in wheezy

br
Andre
Reply to: