Re: Can't patch Heartbleed bug?

To: debian-user@lists.debian.org
Subject: Re: Can't patch Heartbleed bug?
From: Dan Ritter <dsr@randomstring.org>
Date: Thu, 10 Apr 2014 10:14:59 -0400
Message-id: <[🔎] 20140410141459.GA26127@randomstring.org>
In-reply-to: <[🔎] 20140410135438.GE7727@fernst.no-ip.org>
References: <[🔎] 1397134570.73145.YahooMailNeo@web124502.mail.ne1.yahoo.com> <[🔎] CAKmZw+b8Cfgzh6m-EODxEdfKw9Rb+VE+2wqoRYMKhMbM_miEGQ@mail.gmail.com> <[🔎] 20140410135438.GE7727@fernst.no-ip.org>

On Thu, Apr 10, 2014 at 03:54:38PM +0200, Florian Ernst wrote:
> On Thu, Apr 10, 2014 at 09:18:00AM -0400, Brad Alexander wrote:
> > I don't believe that Wheezy was vulnerable to Heartbleed. It was only the
> > 1.0.1f (committed 31 Dec 2011) that incorporated the vulnerable heartbeat
> > feature. My wheezy box has 1.0.1e:
> > [...]
> > So you shouldn't have anything to worry about.
> 
> This is not accurate, OpenSSL 1.0.1 through 1.0.1f (inclusive) are
> vulnerable. Please see
> https://www.debian.org/security/2014/dsa-2896

Which says:

For the stable distribution (wheezy), this problem has been
fixed in version 1.0.1e-2+deb7u5.

and then later this was upgraded to 1.0.1e-2+deb7u6.

Looking at the 1.0.1e is not sufficient.

-dsr-

Reply to:

Follow-Ups:
- Re: Can't patch Heartbleed bug?
  - From: Florian Ernst <florian_ernst@gmx.net>

References:
- Can't patch Heartbleed bug?
  - From: "Dr. Jennifer Nussbaum" <bg271828@yahoo.com>
- Re: Can't patch Heartbleed bug?
  - From: Brad Alexander <storm16@gmail.com>
- Re: Can't patch Heartbleed bug?
  - From: Florian Ernst <florian_ernst@gmx.net>

Prev by Date: Re: Can't patch Heartbleed bug?
Next by Date: S-Video on ThinkPad T42 with Debian Jessie - can't get above 800x600
Previous by thread: Re: Can't patch Heartbleed bug?
Next by thread: Re: Can't patch Heartbleed bug?
Index(es):
- Date
- Thread