OpenSSL patch for heartbleed

[DrHu]

The bigger problem will be any websites that haven't patched their ssl connection softwared..
--they should be indicating that they have applied a fix; at which point the connecting user can change their password, if it is a subscriber based site or an email supplier, google etc..

[myrkat]

@myrkat
So you should check in synaptic to get the exact version which openssl version -a obviously doesn't (it shows the build date but not the complete version name).
Depending on the Mint version it should show
1.0.1e-3ubuntu1.2 (on Mint 16, which you are talking about)
1.0.1-4ubuntu5.12 (on Mint 13)
1.0.1g-2 (on LMDE, which this thread is about)

I did, and I do have the 1.0.1e-3ubuntu1.2 - thank you for the clarification. I figured the LMDE solution would be similar for Mint 16 - and to an effect it was... the upgrade and dist-upgrade backported (though that was not clear until eanfrid pointed me to his other replies in different threads. I weaved together a solution and am updated on my machine and my two kids' Mint 16 boxes (whole family is networked and solid linux).

[nathanjh13]

It's a relatively low risk security hole for the average user a desktop-oriented OS.
Hackers are unlikely to take the time to retrieve tiny chunks of data repeatedly from a boring target with no potential for financial gain.

I appreciate that no problem. I'm not suggesting for a minute they're interested in me, but some boring targets may indeed have potential for financial gain. I think it's foolish to second guess what hackers may and may not do but that's just me. I wasn't too worried hence I put "I'm planning on updating to Mint 17 end of May anyway". This was something I started to remedy, had a problem and thought, I may as well try to fix it.

Besides, every important site I use came up good in this filippo.io/Heartbleed/ except hotmail.com (which wasn't affected anyway (I found out later)) so I relaxed.

@eanfrid thanks for the links, very good. I of course also used the search but ended up here. [ I think the title "OpenSSL patch for heartbleed" threw me ]

This particular link from the other thread was very helpful http://mashable.com/2014/04/09/heartble ... affected/
Many thank to all

[nathanjh13]

Also I have, to admit ignorance, I misunderstood the meaning of "long term release".

I thought LM14, LM 15 and LM16 were maintained until along with LM13 and they all ended when support for LM13 finished. I didn't realise they only had 9 months after each release. My bad.

I suspect other users may not be aware of this and that their packages are very out of date (even though they're technically up to date for that release).

Code: Select all

sudo openssl version -a

If "built on" is on or after April 7 2014, you’re in the clear."

From:
http://www.digitaltrends.com/computing/ ... nssl-flaw/

[chuckatpdo]

FWIW...

(On Mint 15/386)

I performed:

wget http://packages.linuxmint.com/pool/upst ... 2_i386.deb
and
sudo dpkg -i openssl_1.0.1g-2_i386.deb

to effect the update.

[kwisher]

This has nothing to do with being based on Ubuntu or Debian directly.

I know exactly how dist-upgrade and upgrade work, thank you.

I repeat :
- Rolling distro : dist-upgrade or you will break everything sooner or later (LMDE case)
- Frozen snapshot, no big upgrade in soft, only security fix and minor revision, so upgrade.

FYI: I've used dist-upgrade on ubuntu/mint for years and have NEVER broke anything.

[py-thon]

(On Mint 15/386)

This version is no longer supported and thus might (I haven't checked) have other security issues apart from heartbleed.