15

I have installed Ubuntu12.04 on my machine and it got heartBleed version of OpenSSL 1.0.1. So I uninstalled OpenSSL 1.0.1 and install new 1.0.1g version by refering this link.

Now I want to confirm that the "Apache 2.2.22" available on Ubuntu 12.04 is using 1.0.1g and not 1.0.1 version of OpenSSL. How will I confirm this?

Community
  • 1
Bhushan Kawadkar
  • 275
  • 1
  • 4
  • 8

1 Answers1

24
$ apt-cache policy openssl
openssl: Installed: xxx

"Installed: xxx" shows the currently installed version of openssl. Heartbleed is fixed in the following package versions (or later):

Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.2

Ubuntu 12.10: libssl1.0.0 1.0.1c-3ubuntu2.7

Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.12

If your installed package version is lower than these, then your system is vulnerable to Heartbleed.

bain
  • 10,860
  • 2
  • 42
  • 48
  • Thanks for the reply. Will this ensure that the Apache I am using (which is available on Ubuntu) is using upgraded OpenSSL1.0.1g? I can see `Installed: 1.0.1-4ubuntu5.16` on my machine now. – Bhushan Kawadkar Jul 31 '14 at 09:51
  • Yes. Make sure you are doing regular security updates - heartbleed is not the only security vulnerability to affect 12.04. – bain Jul 31 '14 at 09:53
  • Ok great :). What are the other security vulnerability to affect 12.04, Can you share any link or document? Thank you very much :) – Bhushan Kawadkar Jul 31 '14 at 09:55
  • 2
    Here: [Ubuntu 12.04 security notices](http://www.ubuntu.com/usn/precise/) Note that is just the first page, if you scroll down you will see that (as of July 2014) there are **12 pages of vulnerabilities in 12.04**. Everyone should do regular security updates. – bain Jul 31 '14 at 10:04