10

NO, this is not a duplicate of How to patch the Heartbleed bug (CVE-2014-0160) in OpenSSL?. So, read on.

I am seeing conflicting information with respect to Ubuntu 12.04:

  1. The Heartbleed page claims Ubuntu 12.04 to be affected and needs to be patched with 1.0.1g
  2. The Ubuntu Security Notice USN-2165-1 claims that version 1.0.1-4ubuntu5.12 for the package libssl1.0.0 should fix the issue on Ubuntu 12.04.

Now I do have these packages installed:

# dpkg -l | grep ssl
ii  libssl1.0.0                      1.0.1-4ubuntu5.10                 SSL shared libraries
ii  openssl                          1.0.1-4ubuntu5.10                 Secure Socket Layer (SSL) binary and related cryptographic tools

# lsb_release  -a | grep -i description
Description:    Ubuntu 12.04.3 LTS

So, If I consider above two points, I am not sure which one is true.

Besides, this Heartbleed test page says that my machine is vulnerable.

Has anyone yet been able to fix this issue successfully on Ubuntu 12.04? If yes, then could you provide me the steps you have taken?

Community
  • 1
slayedbylucifer
  • 402
  • 2
  • 5
  • 16
  • See also https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12 for the fixed version Changelog – belacqua Apr 10 '14 at 00:22
  • shouldn't the openssl version be 1.0.1g which contains the fix for CVE-2014-0160 as per the changelog on OpenSSL.org –  Apr 10 '14 at 12:25
  • @Greco, correct me if I am wrong. The version `1.0.1g` shows up only if it is installed via source. If it installed via the `apt-get`, it shows `1.0.1-4ubuntu5.12`. Please refer: http://www.ubuntu.com/usn/usn-2165-1/ – slayedbylucifer Apr 11 '14 at 09:54
  • possible duplicate of [How to patch the Heartbleed bug (CVE-2014-0160) in OpenSSL?](http://askubuntu.com/questions/444702/how-to-patch-the-heartbleed-bug-cve-2014-0160-in-openssl) – Lucio Apr 21 '14 at 14:01

2 Answers2

20

Ubuntu has released a patch, you just need to update and upgrade.

sudo apt-get update
sudo apt-get upgrade

To check if you have the latest and patched version, run:

openssl version -a

OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr  7 20:33:19 UTC 2014
platform: debian-amd64

Check the "built on:" item, it should be build Apr 7.

Luís de Sousa
  • 13,018
  • 25
  • 77
  • 128
Thomas K
  • 411
  • 2
  • 6
  • +1...thanks for the `-a` option. It give much more information. All this time I was simply running `openssl version`. – slayedbylucifer Apr 09 '14 at 08:28
  • 1
    Your welcome, I learned it yesterday ;) – Thomas K Apr 09 '14 at 08:31
  • Perfect Answer. Was unsure that I could just use `apt-get` to do everything. – The Thirsty Ape Apr 10 '14 at 23:43
  • when i run `dpkg`, I'm told I have `1.0.1-4ubuntu5.12` of the library - but when I run `openssl version -a` it reports as `OpenSSL 1.0.1 14 Mar 2012` with a build date of `Mon Apr 7 20:33:29 UTC 2014` - is it the build date that is important? – HorusKol Apr 11 '14 at 00:43
  • @HorusKol, your configuration is good. It is same at my end as well and that indeed is a desirable one. So nothing to worry. – slayedbylucifer Apr 11 '14 at 04:47
8

Why don't you update? If Ubuntu says you need 5.12, and that heartbleed site says you're vulnerable, what's the problem?

I have the following installed, which was updated yesterday or today on my machine. 

ii  openssl                                  1.0.1-4ubuntu5.12
SPRBRN
  • 2,145
  • 4
  • 26
  • 33