[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can't patch Heartbleed bug?

On Thu, Apr 10, 2014 at 10:14:59AM -0400, Dan Ritter wrote:
> On Thu, Apr 10, 2014 at 03:54:38PM +0200, Florian Ernst wrote:
> > On Thu, Apr 10, 2014 at 09:18:00AM -0400, Brad Alexander wrote:
> > > I don't believe that Wheezy was vulnerable to Heartbleed. It was only the
> > > 1.0.1f (committed 31 Dec 2011) that incorporated the vulnerable heartbeat
> > > feature. My wheezy box has 1.0.1e:
> > > [...]
> > > So you shouldn't have anything to worry about.
> > 
> > This is not accurate, OpenSSL 1.0.1 through 1.0.1f (inclusive) are
> > vulnerable. Please see
> > https://www.debian.org/security/2014/dsa-2896
> 
> Which says:
> 
> For the stable distribution (wheezy), this problem has been
> fixed in version 1.0.1e-2+deb7u5.
> 
> and then later this was upgraded to 1.0.1e-2+deb7u6.
> 
> Looking at the 1.0.1e is not sufficient.

True, this is <https://www.debian.org/security/faq#version>.

I think the link to the DSA explains which Debian version is not
vulnerable anymore, contrary to the general statement.

Cheers,
Flo
Reply to: