Page 1 of 2
OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 1:07 am
by SliperySam
Hello,
I searched the forums for any mention for open SSl patch for heartbleed. However i only came across the info for LM main. I was wondering what the situation for LMDE is. I ran a check for the version number and it is old one built on nov 2013. I also checked updates and there was nothing there too. When can LMDE users expect the patched version? I hope this wont remain unpatched till the next UP
. IM currently on UP8
Thanks in advance
SliperySam
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 4:32 am
by killer de bug
The patch is in Romeo and will be in available for all today.
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 6:50 am
by fu-sen
I confirmed that an update package of OpenSSL was reflected by debian.linuxmint.com.
The mirror site may be delayed a little more.
In LMDE, OpenSSL is updated in the most recent version (1.0.1g):
Code: Select all
$ openssl version
OpenSSL 1.0.1g 7 Apr 2014
$ openssl version -b
built on: Mon Apr 7 21:30:49 UTC 2014
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 9:11 am
by py-thon
fu-sen wrote:In LMDE, OpenSSL is updated in the most recent version (1.0.1g):
Wrong. Most recent version in Debian Testing is 1.0.1-g2, an update considered "urgency=emergency" by
http://metadata.ftp-master.debian.org/c ... _changelog .
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 9:32 am
by killer de bug
Only difference is that g-2 save a reboot
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 9:53 am
by nathanjh13
Hiya. I'm using Mint 14 Mate and I've tried:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get upgrade openssl
but I'm still showing a 2012 openssl version.
There's a walkthrough on youtube but I have no "official package repositories list" in the sources.list.d folder. There's a few files for a Libreoffice test, two called local-repositary, a couple from Firefox nightly, and another 6 with Quantal in the title.
Thanks for any help.
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 10:15 am
by py-thon
Don't know whether it helps in this case but in general you should update with
Code: Select all
sudo apt-get update && sudo apt-get dist-upgrade
or use mintupdate.
What version of openssl is installed? 0.9.8 is not affected by heartbleed. 1.x should be updated.
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 10:24 am
by killer de bug
py-thon wrote:Don't know whether it helps in this case but in general you should update with
Code: Select all
sudo apt-get update && sudo apt-get dist-upgrade
No! He uses Linux Mint 14 based on Ubuntu. Frozen Snapshot. So no dist-upgrade for him, upgrade should be fine and safer.
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 10:59 am
by py-thon
This has nothing to do with being based on Ubuntu or Debian directly.
Upgrade does not install necessary dependencies, dist-upgrade does. Therefore using upgrade can mean that packages are not upgraded because of conflicts arising from dependencies (of the package you are trying to upgrade or other installed packages). dist-upgrade tries to solve the dependencies. dist-upgrade does not mean distribution upgrade.
See for example
http://askubuntu.com/questions/215267/w ... er-version or the correspondent manpages.
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 11:58 am
by killer de bug
py-thon wrote:This has nothing to do with being based on Ubuntu or Debian directly.
I know exactly how dist-upgrade and upgrade work, thank you.
I repeat :
- Rolling distro :
dist-upgrade or you will break everything sooner or later (LMDE case)
- Frozen snapshot, no big upgrade in soft, only security fix and minor revision, so
upgrade.
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 1:59 pm
by nathanjh13
Thanks, it's version
OpenSSL 1.0.1c 10 May 2012
MintUpdate insists I'm up to date.
I enabled the unstable (Romeo) packages too and did an update (ignoring level 3 and level 4) and I also ran
sudo apt-get upgrade
anyway, but it's still the same version
Thanks again for any help.
Re: OpenSSL patch for heartbleed
Posted: Thu Apr 10, 2014 2:53 pm
by killer de bug
The fix was marked level 3 I think. So if you ignore it you can't have it...
Re: OpenSSL patch for heartbleed
Posted: Fri Apr 11, 2014 8:10 am
by nathanjh13
Thanks, I tried it with all levels enabled but no luck at all. It must be in a repo that I don't have enabled.
I'm planning on updating to Mint 17 end of May anyway.
I tried most of the url's I was worried about in here and I got lucky at least with that it seems.
http://filippo.io/Heartbleed/
Level 3 seems rather lowly for something attracting so much heat?
No to worry, thanks again.
Re: OpenSSL patch for heartbleed
Posted: Fri Apr 11, 2014 8:46 am
by killer de bug
nathanjh13 wrote:
Level 3 seems rather lowly for something attracting so much heat?
Levels in update manager are not related to the importance or to the criticality of the bug... It's only related to the probability that applying this upgrade will break your system or not...
Posted: Fri Apr 11, 2014 9:11 am
by Lingula
It's a relatively low risk security hole for the average user a desktop-oriented OS.
Hackers are unlikely to take the time to retrieve tiny chunks of data repeatedly from a boring target with no potential for financial gain.
It's a bigger concern for people hosting web servers and VPNs with saleable content, like Canada Revenue Agency during tax time!
Re: OpenSSL patch for heartbleed
Posted: Fri Apr 11, 2014 7:42 pm
by myrkat
nathanjh13 wrote:Thanks, it's version
OpenSSL 1.0.1c 10 May 2012
MintUpdate insists I'm up to date.
I enabled the unstable (Romeo) packages too and did an update (ignoring level 3 and level 4) and I also ran
sudo apt-get upgrade
anyway, but it's still the same version
Thanks again for any help.
I have a similar problem with my Mint 16, I have
OpenSSL 1.0.1e 11 Feb 2013 and selected to display all 5 levels in MintUpdate (checked that all were visible); I even checked the "Unstable packages (romeo)" under the Software Sources / Official repositories. Updated/refreshed, and I do not see any update for OpenSSL.
I manually did a
sudo apt-get update && sudo apt-get dist-upgrade as well as a
sudo apt-get upgrade and I'm still seeing OpenSSL 1.0.1e
Hell, I did sudo apt-get upgrade openssl and got
Code: Select all
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
gir1.2-gtksource-3.0 gjs gnome-font-viewer gnome-settings-daemon libgtkmm-3.0-1 libgtksourceview-3.0-1
0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
Any suggestions?
Re: OpenSSL patch for heartbleed
Posted: Sat Apr 12, 2014 4:13 am
by eanfrid
Re: OpenSSL patch for heartbleed
Posted: Sat Apr 12, 2014 10:12 am
by myrkat
I did use a search engine - that is what brought me to this ALREADY ESTABLISHED thread. Maybe you missed it, but I did not start a new thread on the topic.
Also, just because information and announcements are next to nothing for Linux Mint users, do not be upset with me because I did not find your replies. That seems a bit arrogant or snobby. That said, thank you for pointing me to your information. Backporting is what I suspected with the April 7 build date, but was not sure.
Re: OpenSSL patch for heartbleed
Posted: Sat Apr 12, 2014 10:45 am
by eanfrid
@myrkat: I am neither upset nor arrogant
But did you notice that this topic is about LMDE, which works differently than the Ubuntu-based main edition ?
Re: OpenSSL patch for heartbleed
Posted: Sat Apr 12, 2014 10:45 am
by py-thon
@myrkat
So you should check in synaptic to get the exact version which openssl version -a obviously doesn't (it shows the build date but not the complete version name).
Depending on the Mint version it should show
1.0.1e-3ubuntu1.2 (on Mint 16, which you are talking about)
1.0.1-4ubuntu5.12 (on Mint 13)
1.0.1g-2 (on LMDE, which this thread is about)