Patch OpenSSL CVE-2014-0160 on ubuntu 12.04?
Solution 1
Why don't you update? If Ubuntu says you need 5.12, and that heartbleed site says you're vulnerable, what's the problem?
I have the following installed, which was updated yesterday or today on my machine.
ii openssl 1.0.1-4ubuntu5.12
Solution 2
Ubuntu has released a patch, you just need to update and upgrade.
sudo apt-get update
sudo apt-get upgrade
To check if you have the latest and patched version, run:
openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr 7 20:33:19 UTC 2014
platform: debian-amd64
Check the "built on:" item, it should be build Apr 7.
Related videos on Youtube
slayedbylucifer
Updated on September 18, 2022Comments
-
slayedbylucifer over 1 year
NO, this is not a duplicate of How to patch the Heartbleed bug (CVE-2014-0160) in OpenSSL?. So, read on.
I am seeing conflicting information with respect to Ubuntu 12.04:
- The Heartbleed page claims Ubuntu 12.04 to be affected and needs to be patched with 1.0.1g
- The Ubuntu Security Notice USN-2165-1 claims that version
1.0.1-4ubuntu5.12
for the packagelibssl1.0.0
should fix the issue on Ubuntu 12.04.
Now I do have these packages installed:
# dpkg -l | grep ssl ii libssl1.0.0 1.0.1-4ubuntu5.10 SSL shared libraries ii openssl 1.0.1-4ubuntu5.10 Secure Socket Layer (SSL) binary and related cryptographic tools # lsb_release -a | grep -i description Description: Ubuntu 12.04.3 LTS
So, If I consider above two points, I am not sure which one is true.
Besides, this Heartbleed test page says that my machine is vulnerable.
Has anyone yet been able to fix this issue successfully on Ubuntu 12.04? If yes, then could you provide me the steps you have taken?
-
belacqua about 10 yearsSee also launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12 for the fixed version Changelog
-
Admin about 10 yearsshouldn't the openssl version be 1.0.1g which contains the fix for CVE-2014-0160 as per the changelog on OpenSSL.org
-
slayedbylucifer about 10 years@Greco, correct me if I am wrong. The version
1.0.1g
shows up only if it is installed via source. If it installed via theapt-get
, it shows1.0.1-4ubuntu5.12
. Please refer: ubuntu.com/usn/usn-2165-1 -
Lucio about 10 yearspossible duplicate of How to patch the Heartbleed bug (CVE-2014-0160) in OpenSSL?
-
slayedbylucifer about 10 years+1...thanks for the
-a
option. It give much more information. All this time I was simply runningopenssl version
. -
Thomas K about 10 yearsYour welcome, I learned it yesterday ;)
-
The Thirsty Ape about 10 yearsPerfect Answer. Was unsure that I could just use
apt-get
to do everything. -
HorusKol about 10 yearswhen i run
dpkg
, I'm told I have1.0.1-4ubuntu5.12
of the library - but when I runopenssl version -a
it reports asOpenSSL 1.0.1 14 Mar 2012
with a build date ofMon Apr 7 20:33:29 UTC 2014
- is it the build date that is important? -
slayedbylucifer about 10 years@HorusKol, your configuration is good. It is same at my end as well and that indeed is a desirable one. So nothing to worry.