Openssl upgraded via apt-get, `openssl version` showing previous version
Solution 1
Per the Debian bug tracker, the Heartbleed issue was updated in version 1.0.1e-2+deb7u5:
Marked as fixed in versions 1.0.1e-2+deb7u5. Request was from Salvatore Bonaccorso to [email protected]. (Mon, 07 Apr 2014 21:45:14 GMT) Full text and rfc822 format available.
As such, you're running the updated version and are no longer vulnerable.
Source: https://bugs.debian.org/743883
This is common practice: Debian applied the security fix to the version that was already in the distribution.
Solution 2
The upstream version is 1.0.1e, which is what is being shown. What is the problem? Note the 2+deb7u5 after the dash is Debian-specific.
Related videos on Youtube
32 : 16
03 : 29
07 : 20
08 : 25
01 : 55
user51279
Updated on September 18, 2022Comments
-
user51279 over 1 year
I am running Debian Wheezy. I have just upgraded my system and should have the latest version of openssl (1.0.1g which fixes a critical bug), but it does not appear to be being used.
I have run:
apt-get update apt-get upgradedpkg -s openssl shows:
Version: 1.0.1e-2+deb7u5openssl version shows:
OpenSSL 1.0.1e 11 Feb 2013I have rebooted my system since upgrading. What do I need to do to get openssl using the updated version?
-
Admin about 10 yearsSee also How do I recover from the Heartbleed bug in OpenSSL? (which touches on this concern, but buried in a bigger answer).
-
-
user51279 about 10 yearsThanks for the clarification. So it's normal for the command
openssl versionto still report the same as it was previously? I guess I expected that would change. -
Dave Lesser about 10 yearsI agree that
openssl versionreporting the same as before isn't particularly helpful. -
Gilles 'SO- stop being evil' about 10 yearsBecause 1.0.1g is the latest upstream version at this time, and a lot of people are paying attention because of a highly publicized security vulnerability. Debian followed their practice of backporting security fixes, which isn't immediately obvious to people who aren't used to this practice. -
David Wilkins about 10 yearsIf you have doubts, you can check for the vulnerability using filippo.io/Heartbleed
-
burmat about 10 years@user51279 run openssl version -b and you can see the updated build date. -
plugwash over 8 yearsNote that the "openssl" package only contains the tools etc. If you are looking for security fixes to the library you need to check the versions of the library packages (libssl1.0.0 and libcrypto1.0.0 )
