LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-08-2014, 02:49 AM   #1
nerdofdarkness
LQ Newbie
 
Registered: Oct 2013
Posts: 28
Blog Entries: 1

Rep: Reputation: Disabled
I think my version of SSL isn't vulnerable to Heartbleed, but I want to make sure


I recently upgraded to libssl0.9.8 in order to test slimboat.

I think this means my machine won't be vulnerable to Heartbleed.

However, I should probably check and see whether I have any other uses of SSL that need to be fixed.

How do I go about checking this?

Thanks.
 
Old 04-08-2014, 07:42 AM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,823

Rep: Reputation: 611Reputation: 611Reputation: 611Reputation: 611Reputation: 611Reputation: 611
Well .. is OpenSSL 1.0.1 installed? Did you compile it yourself and put it anywhere?
 
Old 04-08-2014, 07:52 PM   #3
nerdofdarkness
LQ Newbie
 
Registered: Oct 2013
Posts: 28
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
I've been looking at:

https://packages.debian.org/squeeze/libssl-dev

and it appears that libssl is part of openssl.

As for figuring out the version numbers, the only version number I know is the version number I installed yesterday.

If OpenSSL 1.0.1 is on my machine, it probably is on there because some other install added it automatically.

Thus I need to find out how to use debian utilities to check for the presence of compromised packages.

However, the output is not informative, e.g.:

# apt-get check libssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
 
Old 04-08-2014, 07:54 PM   #4
nerdofdarkness
LQ Newbie
 
Registered: Oct 2013
Posts: 28
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by AlucardZero View Post
Did you compile it yourself and put it anywhere?
I haven't been compiling utilities on this machine, I've been using apt-get for standard stuff and makefiles for nonstandard stuff.

So one of those makefiles might have installed something.

Or perhaps apt-get might have demanded openssl as a dependency.
 
Old 04-10-2014, 10:06 AM   #5
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,823

Rep: Reputation: 611Reputation: 611Reputation: 611Reputation: 611Reputation: 611Reputation: 611
apt-cache policy openssl
From the advisory .. 1.0.1e-2+deb7u5 and later are not vulnerable. (0.9.8* and 1.0.0* are also not)



find / -mount -type f -name openssl -print -exec '{}' version -a \;

If you have a 1.0.1 built on April 6 or earlier, you need to update that install.
 
2 members found this post helpful.
Old 04-10-2014, 04:47 PM   #6
xiongnu
Member
 
Registered: Sep 2004
Distribution: Debian, Void
Posts: 225

Rep: Reputation: 19
Quote:
Originally Posted by AlucardZero View Post
apt-cache policy openssl
From the advisory .. 1.0.1e-2+deb7u5 and later are not vulnerable. (0.9.8* and 1.0.0* are also not)



find / -mount -type f -name openssl -print -exec '{}' version -a \;

If you have a 1.0.1 built on April 6 or earlier, you need to update that install.
thanks for the info. I updated openssl on my Debian Wheezy machine yesterday (4/10), now it's openssl (1.0.1e-2+deb7u6).
 
Old 04-13-2014, 07:38 PM   #7
nerdofdarkness
LQ Newbie
 
Registered: Oct 2013
Posts: 28
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by AlucardZero View Post
apt-cache policy openssl
From the advisory .. 1.0.1e-2+deb7u5 and later are not vulnerable. (0.9.8* and 1.0.0* are also not)



find / -mount -type f -name openssl -print -exec '{}' version -a \;

If you have a 1.0.1 built on April 6 or earlier, you need to update that install.
Thank you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Heartbleed metageek Slackware 55 04-20-2014 07:14 AM
[SOLVED] Apache problem: Aliased content isn't transmitted in clear; not SSL. cignul9 Linux - Server 0 11-05-2012 12:24 PM
LXer: Why isnít SSL turned on by default for all websites? LXer Syndicated Linux News 0 08-22-2011 06:51 PM
Some Linux Distros Vulnerable to Version of DLL Hijacking Bug win32sux Linux - Security 1 08-28-2010 10:49 PM
does wine make me vulnerable to windows virii? drigz Linux - General 3 08-03-2004 07:29 AM


All times are GMT -5. The time now is 01:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration