OpenSSL patch for heartbleed

Questions about applications and software
Forum rules
Before you post please read this

OpenSSL patch for heartbleed

Postby SliperySam on Thu Apr 10, 2014 1:07 am

Hello,
I searched the forums for any mention for open SSl patch for heartbleed. However i only came across the info for LM main. I was wondering what the situation for LMDE is. I ran a check for the version number and it is old one built on nov 2013. I also checked updates and there was nothing there too. When can LMDE users expect the patched version? I hope this wont remain unpatched till the next UP :(. IM currently on UP8
Thanks in advance
SliperySam
SliperySam
Level 1
Level 1
 
Posts: 1
Joined: Thu Apr 10, 2014 1:00 am

Linux Mint is funded by ads and donations.
 

Re: OpenSSL patch for heartbleed

Postby killer de bug on Thu Apr 10, 2014 4:32 am

The patch is in Romeo and will be in available for all today. :wink:
If I have seen further it is by standing on the shoulders of giants. [Isaac Newton]
User avatar
killer de bug
Level 7
Level 7
 
Posts: 1837
Joined: Tue Jul 08, 2008 1:49 pm
Location: Austria

Re: OpenSSL patch for heartbleed

Postby fu-sen on Thu Apr 10, 2014 6:50 am

I confirmed that an update package of OpenSSL was reflected by debian.linuxmint.com.
The mirror site may be delayed a little more.

In LMDE, OpenSSL is updated in the most recent version (1.0.1g):
Code: Select all
$ openssl version
OpenSSL 1.0.1g 7 Apr 2014
$ openssl version -b
built on: Mon Apr  7 21:30:49 UTC 2014
BALLOON a.k.a. Fu-sen. | ふうせん Fu-sen.
17 Cinnamon / KDE | 13 MATE / Xfce | LMDE Cinnamon
Let's use Linux Mint (Japanese Information) http://linuxmintjp.jimdo.com/ | リナックスミントをつかおう
User avatar
fu-sen
Level 1
Level 1
 
Posts: 43
Joined: Thu Mar 06, 2014 4:16 am
Location: Miyagi, Japan

Re: OpenSSL patch for heartbleed

Postby py-thon on Thu Apr 10, 2014 9:11 am

fu-sen wrote:In LMDE, OpenSSL is updated in the most recent version (1.0.1g):

Wrong. Most recent version in Debian Testing is 1.0.1-g2, an update considered "urgency=emergency" by http://metadata.ftp-master.debian.org/c ... _changelog .
Tower: Sparky 64 bit Mate+mintmenu - Netbook: LMDE Mate 32bit
py-thon
Level 4
Level 4
 
Posts: 250
Joined: Fri Sep 27, 2013 2:24 pm
Location: Paraguay

Re: OpenSSL patch for heartbleed

Postby killer de bug on Thu Apr 10, 2014 9:32 am

Only difference is that g-2 save a reboot :lol:
If I have seen further it is by standing on the shoulders of giants. [Isaac Newton]
User avatar
killer de bug
Level 7
Level 7
 
Posts: 1837
Joined: Tue Jul 08, 2008 1:49 pm
Location: Austria

Re: OpenSSL patch for heartbleed

Postby nathanjh13 on Thu Apr 10, 2014 9:53 am

Hiya. I'm using Mint 14 Mate and I've tried:

sudo apt-get update

sudo apt-get upgrade

sudo apt-get upgrade openssl

but I'm still showing a 2012 openssl version.

There's a walkthrough on youtube but I have no "official package repositories list" in the sources.list.d folder. There's a few files for a Libreoffice test, two called local-repositary, a couple from Firefox nightly, and another 6 with Quantal in the title.

Thanks for any help.
nathanjh13
Level 3
Level 3
 
Posts: 151
Joined: Mon Mar 22, 2010 2:48 pm

Re: OpenSSL patch for heartbleed

Postby py-thon on Thu Apr 10, 2014 10:15 am

Don't know whether it helps in this case but in general you should update with
Code: Select all
sudo apt-get update && sudo apt-get dist-upgrade
or use mintupdate.
What version of openssl is installed? 0.9.8 is not affected by heartbleed. 1.x should be updated.
Tower: Sparky 64 bit Mate+mintmenu - Netbook: LMDE Mate 32bit
py-thon
Level 4
Level 4
 
Posts: 250
Joined: Fri Sep 27, 2013 2:24 pm
Location: Paraguay

Re: OpenSSL patch for heartbleed

Postby killer de bug on Thu Apr 10, 2014 10:24 am

py-thon wrote:Don't know whether it helps in this case but in general you should update with
Code: Select all
sudo apt-get update && sudo apt-get dist-upgrade


No! He uses Linux Mint 14 based on Ubuntu. Frozen Snapshot. So no dist-upgrade for him, upgrade should be fine and safer. :)
Last edited by killer de bug on Thu Apr 10, 2014 11:58 am, edited 1 time in total.
If I have seen further it is by standing on the shoulders of giants. [Isaac Newton]
User avatar
killer de bug
Level 7
Level 7
 
Posts: 1837
Joined: Tue Jul 08, 2008 1:49 pm
Location: Austria

Re: OpenSSL patch for heartbleed

Postby py-thon on Thu Apr 10, 2014 10:59 am

This has nothing to do with being based on Ubuntu or Debian directly.
Upgrade does not install necessary dependencies, dist-upgrade does. Therefore using upgrade can mean that packages are not upgraded because of conflicts arising from dependencies (of the package you are trying to upgrade or other installed packages). dist-upgrade tries to solve the dependencies. dist-upgrade does not mean distribution upgrade.
See for example http://askubuntu.com/questions/215267/w ... er-version or the correspondent manpages.
Tower: Sparky 64 bit Mate+mintmenu - Netbook: LMDE Mate 32bit
py-thon
Level 4
Level 4
 
Posts: 250
Joined: Fri Sep 27, 2013 2:24 pm
Location: Paraguay

Re: OpenSSL patch for heartbleed

Postby killer de bug on Thu Apr 10, 2014 11:58 am

py-thon wrote:This has nothing to do with being based on Ubuntu or Debian directly.


I know exactly how dist-upgrade and upgrade work, thank you.

I repeat :
- Rolling distro : dist-upgrade or you will break everything sooner or later (LMDE case)
- Frozen snapshot, no big upgrade in soft, only security fix and minor revision, so upgrade.
If I have seen further it is by standing on the shoulders of giants. [Isaac Newton]
User avatar
killer de bug
Level 7
Level 7
 
Posts: 1837
Joined: Tue Jul 08, 2008 1:49 pm
Location: Austria

Re: OpenSSL patch for heartbleed

Postby nathanjh13 on Thu Apr 10, 2014 1:59 pm

Thanks, it's version

OpenSSL 1.0.1c 10 May 2012

MintUpdate insists I'm up to date.

I enabled the unstable (Romeo) packages too and did an update (ignoring level 3 and level 4) and I also ran

sudo apt-get upgrade

anyway, but it's still the same version :?

Thanks again for any help.
nathanjh13
Level 3
Level 3
 
Posts: 151
Joined: Mon Mar 22, 2010 2:48 pm

Re: OpenSSL patch for heartbleed

Postby killer de bug on Thu Apr 10, 2014 2:53 pm

The fix was marked level 3 I think. So if you ignore it you can't have it...
If I have seen further it is by standing on the shoulders of giants. [Isaac Newton]
User avatar
killer de bug
Level 7
Level 7
 
Posts: 1837
Joined: Tue Jul 08, 2008 1:49 pm
Location: Austria

Re: OpenSSL patch for heartbleed

Postby nathanjh13 on Fri Apr 11, 2014 8:10 am

Thanks, I tried it with all levels enabled but no luck at all. It must be in a repo that I don't have enabled.

I'm planning on updating to Mint 17 end of May anyway.

I tried most of the url's I was worried about in here and I got lucky at least with that it seems.

http://filippo.io/Heartbleed/

Level 3 seems rather lowly for something attracting so much heat?

No to worry, thanks again.
nathanjh13
Level 3
Level 3
 
Posts: 151
Joined: Mon Mar 22, 2010 2:48 pm

Re: OpenSSL patch for heartbleed

Postby killer de bug on Fri Apr 11, 2014 8:46 am

nathanjh13 wrote:Level 3 seems rather lowly for something attracting so much heat?


:shock: Levels in update manager are not related to the importance or to the criticality of the bug... It's only related to the probability that applying this upgrade will break your system or not...
If I have seen further it is by standing on the shoulders of giants. [Isaac Newton]
User avatar
killer de bug
Level 7
Level 7
 
Posts: 1837
Joined: Tue Jul 08, 2008 1:49 pm
Location: Austria

Postby Lingula on Fri Apr 11, 2014 9:11 am

It's a relatively low risk security hole for the average user a desktop-oriented OS.
Hackers are unlikely to take the time to retrieve tiny chunks of data repeatedly from a boring target with no potential for financial gain.

It's a bigger concern for people hosting web servers and VPNs with saleable content, like Canada Revenue Agency during tax time!
Lingula
Level 4
Level 4
 
Posts: 286
Joined: Tue Apr 23, 2013 12:47 pm

Re: OpenSSL patch for heartbleed

Postby myrkat on Fri Apr 11, 2014 7:42 pm

nathanjh13 wrote:Thanks, it's version

OpenSSL 1.0.1c 10 May 2012

MintUpdate insists I'm up to date.

I enabled the unstable (Romeo) packages too and did an update (ignoring level 3 and level 4) and I also ran

sudo apt-get upgrade

anyway, but it's still the same version :?

Thanks again for any help.
I have a similar problem with my Mint 16, I have OpenSSL 1.0.1e 11 Feb 2013 and selected to display all 5 levels in MintUpdate (checked that all were visible); I even checked the "Unstable packages (romeo)" under the Software Sources / Official repositories. Updated/refreshed, and I do not see any update for OpenSSL.

I manually did a sudo apt-get update && sudo apt-get dist-upgrade as well as a sudo apt-get upgrade and I'm still seeing OpenSSL 1.0.1e :(

Hell, I did sudo apt-get upgrade openssl and got
Code: Select all
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages have been kept back:
  gir1.2-gtksource-3.0 gjs gnome-font-viewer gnome-settings-daemon libgtkmm-3.0-1 libgtksourceview-3.0-1
0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.

Any suggestions?
Main Comp: i7-4770K @ 3.5GHz + nVidia 760GTX + 16GB RAM + SSD + HDD
Linux Mint 17 - KDE
SteamOS Beta
Windows 8.1 Pro x64 (only for Xara)
User avatar
myrkat
Level 1
Level 1
 
Posts: 23
Joined: Sun Feb 02, 2014 7:10 pm

Re: OpenSSL patch for heartbleed

Postby eanfrid on Sat Apr 12, 2014 4:13 am

Please use the search engine before asking a question which has already been answered many times:
viewtopic.php?f=90&t=164361&p=846557#p846368
viewtopic.php?f=61&t=164364&p=845069#p845069
Main desktop: Debian GNU/Linux Wheezy 64bit w/custom 3.14 longterm kernel - MATE 1.8.1
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
True private storage on SpiderOak
User avatar
eanfrid
Level 7
Level 7
 
Posts: 1853
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: OpenSSL patch for heartbleed

Postby myrkat on Sat Apr 12, 2014 10:12 am

eanfrid wrote:Please use the search engine before asking a question which has already been answered many times:
viewtopic.php?f=90&t=164361&p=846557#p846368
viewtopic.php?f=61&t=164364&p=845069#p845069

I did use a search engine - that is what brought me to this ALREADY ESTABLISHED thread. Maybe you missed it, but I did not start a new thread on the topic.

Also, just because information and announcements are next to nothing for Linux Mint users, do not be upset with me because I did not find your replies. That seems a bit arrogant or snobby. That said, thank you for pointing me to your information. Backporting is what I suspected with the April 7 build date, but was not sure.
Main Comp: i7-4770K @ 3.5GHz + nVidia 760GTX + 16GB RAM + SSD + HDD
Linux Mint 17 - KDE
SteamOS Beta
Windows 8.1 Pro x64 (only for Xara)
User avatar
myrkat
Level 1
Level 1
 
Posts: 23
Joined: Sun Feb 02, 2014 7:10 pm

Re: OpenSSL patch for heartbleed

Postby eanfrid on Sat Apr 12, 2014 10:45 am

@myrkat: I am neither upset nor arrogant :) But did you notice that this topic is about LMDE, which works differently than the Ubuntu-based main edition ? :wink:
Main desktop: Debian GNU/Linux Wheezy 64bit w/custom 3.14 longterm kernel - MATE 1.8.1
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
True private storage on SpiderOak
User avatar
eanfrid
Level 7
Level 7
 
Posts: 1853
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: OpenSSL patch for heartbleed

Postby py-thon on Sat Apr 12, 2014 10:45 am

@myrkat
So you should check in synaptic to get the exact version which openssl version -a obviously doesn't (it shows the build date but not the complete version name).
Depending on the Mint version it should show
1.0.1e-3ubuntu1.2 (on Mint 16, which you are talking about)
1.0.1-4ubuntu5.12 (on Mint 13)
1.0.1g-2 (on LMDE, which this thread is about)
Tower: Sparky 64 bit Mate+mintmenu - Netbook: LMDE Mate 32bit
py-thon
Level 4
Level 4
 
Posts: 250
Joined: Fri Sep 27, 2013 2:24 pm
Location: Paraguay

Linux Mint is funded by ads and donations.
 
Next

Return to Software & Applications

Who is online

Users browsing this forum: No registered users and 10 guests