OpenSSL patch for heartbleed

[SliperySam]

Hello,
I searched the forums for any mention for open SSl patch for heartbleed. However i only came across the info for LM main. I was wondering what the situation for LMDE is. I ran a check for the version number and it is old one built on nov 2013. I also checked updates and there was nothing there too. When can LMDE users expect the patched version? I hope this wont remain unpatched till the next UP . IM currently on UP8
Thanks in advance
SliperySam

[killer de bug]

The patch is in Romeo and will be in available for all today.

[fu-sen]

I confirmed that an update package of OpenSSL was reflected by debian.linuxmint.com.
The mirror site may be delayed a little more.

In LMDE, OpenSSL is updated in the most recent version (1.0.1g):

Code: Select all

$ openssl version
OpenSSL 1.0.1g 7 Apr 2014
$ openssl version -b
built on: Mon Apr  7 21:30:49 UTC 2014

[py-thon]

In LMDE, OpenSSL is updated in the most recent version (1.0.1g):

Wrong. Most recent version in Debian Testing is 1.0.1-g2, an update considered "urgency=emergency" by http://metadata.ftp-master.debian.org/c ... _changelog .

[killer de bug]

Only difference is that g-2 save a reboot

[nathanjh13]

Hiya. I'm using Mint 14 Mate and I've tried:

sudo apt-get update

sudo apt-get upgrade

sudo apt-get upgrade openssl

but I'm still showing a 2012 openssl version.

There's a walkthrough on youtube but I have no "official package repositories list" in the sources.list.d folder. There's a few files for a Libreoffice test, two called local-repositary, a couple from Firefox nightly, and another 6 with Quantal in the title.

Thanks for any help.

[py-thon]

Don't know whether it helps in this case but in general you should update with

Code: Select all

sudo apt-get update && sudo apt-get dist-upgrade

or use mintupdate.
What version of openssl is installed? 0.9.8 is not affected by heartbleed. 1.x should be updated.

[killer de bug]

Don't know whether it helps in this case but in general you should update with

Code: Select all

sudo apt-get update && sudo apt-get dist-upgrade

No! He uses Linux Mint 14 based on Ubuntu. Frozen Snapshot. So no dist-upgrade for him, upgrade should be fine and safer.

[py-thon]

This has nothing to do with being based on Ubuntu or Debian directly.
Upgrade does not install necessary dependencies, dist-upgrade does. Therefore using upgrade can mean that packages are not upgraded because of conflicts arising from dependencies (of the package you are trying to upgrade or other installed packages). dist-upgrade tries to solve the dependencies. dist-upgrade does not mean distribution upgrade.
See for example http://askubuntu.com/questions/215267/w ... er-version or the correspondent manpages.

[killer de bug]

This has nothing to do with being based on Ubuntu or Debian directly.

I know exactly how dist-upgrade and upgrade work, thank you.

I repeat :
- Rolling distro : dist-upgrade or you will break everything sooner or later (LMDE case)
- Frozen snapshot, no big upgrade in soft, only security fix and minor revision, so upgrade.

[nathanjh13]

Thanks, it's version

OpenSSL 1.0.1c 10 May 2012

MintUpdate insists I'm up to date.

I enabled the unstable (Romeo) packages too and did an update (ignoring level 3 and level 4) and I also ran

sudo apt-get upgrade

anyway, but it's still the same version

Thanks again for any help.

[killer de bug]

The fix was marked level 3 I think. So if you ignore it you can't have it...

[nathanjh13]

Thanks, I tried it with all levels enabled but no luck at all. It must be in a repo that I don't have enabled.

I'm planning on updating to Mint 17 end of May anyway.

I tried most of the url's I was worried about in here and I got lucky at least with that it seems.

http://filippo.io/Heartbleed/

Level 3 seems rather lowly for something attracting so much heat?

No to worry, thanks again.

[killer de bug]

Level 3 seems rather lowly for something attracting so much heat?

Levels in update manager are not related to the importance or to the criticality of the bug... It's only related to the probability that applying this upgrade will break your system or not...

[Lingula]

It's a relatively low risk security hole for the average user a desktop-oriented OS.
Hackers are unlikely to take the time to retrieve tiny chunks of data repeatedly from a boring target with no potential for financial gain.

It's a bigger concern for people hosting web servers and VPNs with saleable content, like Canada Revenue Agency during tax time!

[myrkat]

Thanks, it's version

OpenSSL 1.0.1c 10 May 2012

MintUpdate insists I'm up to date.

I enabled the unstable (Romeo) packages too and did an update (ignoring level 3 and level 4) and I also ran

sudo apt-get upgrade

anyway, but it's still the same version

Thanks again for any help.

I have a similar problem with my Mint 16, I have OpenSSL 1.0.1e 11 Feb 2013 and selected to display all 5 levels in MintUpdate (checked that all were visible); I even checked the "Unstable packages (romeo)" under the Software Sources / Official repositories. Updated/refreshed, and I do not see any update for OpenSSL.

I manually did a sudo apt-get update && sudo apt-get dist-upgrade as well as a sudo apt-get upgrade and I'm still seeing OpenSSL 1.0.1e

Hell, I did sudo apt-get upgrade openssl and got

Code: Select all

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages have been kept back:
  gir1.2-gtksource-3.0 gjs gnome-font-viewer gnome-settings-daemon libgtkmm-3.0-1 libgtksourceview-3.0-1
0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.

Any suggestions?

[eanfrid]

Please use the search engine before asking a question which has already been answered many times:
http://forums.linuxmint.com/viewtopic.p ... 57#p846368
http://forums.linuxmint.com/viewtopic.p ... 69#p845069

[myrkat]

Please use the search engine before asking a question which has already been answered many times:
http://forums.linuxmint.com/viewtopic.p ... 57#p846368
http://forums.linuxmint.com/viewtopic.p ... 69#p845069

I did use a search engine - that is what brought me to this ALREADY ESTABLISHED thread. Maybe you missed it, but I did not start a new thread on the topic.

Also, just because information and announcements are next to nothing for Linux Mint users, do not be upset with me because I did not find your replies. That seems a bit arrogant or snobby. That said, thank you for pointing me to your information. Backporting is what I suspected with the April 7 build date, but was not sure.

[eanfrid]

@myrkat: I am neither upset nor arrogant But did you notice that this topic is about LMDE, which works differently than the Ubuntu-based main edition ?

[py-thon]

@myrkat
So you should check in synaptic to get the exact version which openssl version -a obviously doesn't (it shows the build date but not the complete version name).
Depending on the Mint version it should show
1.0.1e-3ubuntu1.2 (on Mint 16, which you are talking about)
1.0.1-4ubuntu5.12 (on Mint 13)
1.0.1g-2 (on LMDE, which this thread is about)