Home Gudgeon and gist Antarctica Starts Here. » Antarctica Starts Here. Ubuntu Linux and the Heartbleed OpenSSL vulnerability.

Ubuntu Linux and the Heartbleed OpenSSL vulnerability.

Antarctica Starts Here. » Antarctica Starts Here. 2014-04-08

Summary:

If you're in the mad scramble to patch the Heartbleed vulnerability in OpenSSL on your Ubuntu servers but you need to see some documentation, look in your /usr/share/doc/openssl/changelog.Debian.gz file. If you see the following at the very top of the file, you're patched: 
 
openssl (1.0.1-4ubuntu5.12) precise-security; urgency=medium  
  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation 
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in 
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c, 
      util/libeay.num. 
    - CVE-2014-0076 
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension 
    - debian/patches/CVE-2014-0160.patch: use correct lengths in 
      ssl/d1_both.c, ssl/t1_lib.c. 
    - CVE-2014-0160  
 -- Marc Deslauriers   Mon, 07 Apr 2014 15:45:14 -0400
If you don't, run sudo apt-get update followed by sudo apt-get upgrade -y and then reboot the machine to make sure everything linked against OpenSSL gets restarted and uses the new code. Better safe than sorry.

Link:

http://drwho.virtadpt.net/archive/2014/04/07/ubuntu-linux-and-the-heartbleed-openssl-vulnerability

From feeds:

Gudgeon and gist » Antarctica Starts Here. » Antarctica Starts Here.

Tags:

default

Authors:

The Doctor

Date tagged:

04/08/2014, 03:00

Date published:

04/08/2014, 01:51