« The Joy Of Open Source: You Can Fix It Yourself | Main | When A Book Still Trumps Online Search »

Comments

Stefan Kuhr

I have updated my raspi with debian wheezy as well, but after all updates have been applied, I still have openssl version 1.0.1e (which is vulnerable). What am I doing wrong?

mobilesociety

Hi Stefan,

I think the press is simplyfing this a bit by focusing on the letter behind the version number. According to

--> https://security-tracker.debian.org/tracker/CVE-2014-0160

the issue is fixed in

--> libssl-doc/wheezy uptodate 1.0.1e-2+rvt+deb7u6

The deb7u6 is the indicator! Before my update it was deb7u4 which is marked in red as vulnerable on the page above and now it's deb7u6 while 1.0.1e did not change. Probably they don't change the version number due to the backport. I ran one of the web tools that check for the vulnerability against my server and it said it's patched now (but I didn't check before the update as I wasn't aware of the tool).

On Ubuntu, for example, there's not even an 'e' or 'g' at all, here it's 5.11 = vulnerable, 5.12 = fixed:

--> libssl1.0.0/precise-security upgradeable from 1.0.1-4ubuntu5.11 to 1.0.1-4ubuntu5.12

Summary: check the version number of libssl, if it has a 'deb7u6' at the end you should be o.k. :-)

Hope this helps,
Martin

The comments to this entry are closed.

My Photo

The Books to this Blog

Secure Hotel Wi-Fi Sharing

My Pictures on Flickr

  • www.flickr.com
    martin.sauter's photos More of martin.sauter's photos

Misc

  • Clicky
    Clicky Web Analytics