I think my version of SSL isn't vulnerable to Heartbleed, but I want to make sure
I recently upgraded to libssl0.9.8 in order to test slimboat.
I think this means my machine won't be vulnerable to Heartbleed. However, I should probably check and see whether I have any other uses of SSL that need to be fixed. How do I go about checking this? Thanks. |
Well .. is OpenSSL 1.0.1 installed? Did you compile it yourself and put it anywhere?
|
I've been looking at:
https://packages.debian.org/squeeze/libssl-dev and it appears that libssl is part of openssl. As for figuring out the version numbers, the only version number I know is the version number I installed yesterday. If OpenSSL 1.0.1 is on my machine, it probably is on there because some other install added it automatically. Thus I need to find out how to use debian utilities to check for the presence of compromised packages. However, the output is not informative, e.g.: # apt-get check libssl Reading package lists... Done Building dependency tree Reading state information... Done |
Quote:
So one of those makefiles might have installed something. Or perhaps apt-get might have demanded openssl as a dependency. |
apt-cache policy openssl
From the advisory .. 1.0.1e-2+deb7u5 and later are not vulnerable. (0.9.8* and 1.0.0* are also not) find / -mount -type f -name openssl -print -exec '{}' version -a \; If you have a 1.0.1 built on April 6 or earlier, you need to update that install. |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 10:33 AM. |