Comment by MartinMond
12 years ago
As of now (21:04 UTC) this isn't fixed in Debian https://security-tracker.debian.org/tracker/CVE-2014-0160 nor Ubuntu http://people.canonical.com/~ubuntu-security/cve/2014/CVE-20...
Got a long night ahead :/
12 years ago
As of now (21:04 UTC) this isn't fixed in Debian https://security-tracker.debian.org/tracker/CVE-2014-0160 nor Ubuntu http://people.canonical.com/~ubuntu-security/cve/2014/CVE-20...
Got a long night ahead :/
I just installed update openssl_1.0.1e-2+deb7u5 and libssl1.0.0_1.0.1e-2+deb7u5 on debian wheezy, so it seems the fix is now available.
You need to manually restart all processes linking libssl, too.
Something like "lsof -n | grep ssl | grep DEL" can identify processes using the DELeted old version of libssl after apt-get upgrading.
Debian comes with a handy tool for this called 'checkrestart' in the debian-goodies package.
2 replies →
Thanks for reminding, almost forgot about that.
Just saw the following updated when I did an 'apt-get clean; aptitude dist-upgrade' on Debian Wheezy:
libssl1.0.0 openssh-client openssh-server openssl ssh
I just wanted to point out that you really do not need the `apt-get clean.` Obviously your work flow is your business but I wanted to speak up in case you thought it was needed before upgrading packages.
1 reply →
Just received an upgrade on Ubuntu 12.04 LTS as well, apt-get clean issued before updating.
EDIT: If you are using DigitalOcean, the update is not yet on their mirrors. Issue 'sudo sed -i "s/mirrors\.digitalocean/archive.ubuntu/g" /etc/apt/sources.list;sudo apt-get clean;sudo apt-get update;sudo apt-get upgrade' to get the patch. Check the comment by 0x0 above ( https://news.ycombinator.com/item?id=7549842 ) to find any services which need restarting.
I can confirm this for vanilla Ubuntu 12.04 LTS. I've been checking for the past hour. The updates for the following just appeared:
Setting up libssl-doc (1.0.1-4ubuntu5.12) ... Setting up libssl-dev (1.0.1-4ubuntu5.12) ... Setting up openssl (1.0.1-4ubuntu5.12) ...
1 reply →
We're actively working to update. :)
Same for hetzner.de: the default sources.list points to their [for the moment] outdated update-server.
Should the priority on the ubuntu-security page be higher than "Medium"?
Basically yes. However, from my experience, package update urgencies are no good indicator of the updates's actual priority. It's in the +*-security" channels and you're supposed to apply all updates from there.
Thanks for the links. The big thing heartbleed.com is missing is what to do!
Ubuntu 12.04 patch ready https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5....
1.0.1e-2+deb7u5 appearing now on security.debian.org.
I just did a apt-get update and apt-get upgrade and I saw upgrades for openssh-client and openssh-server.
OpenSSH != OpenSSL. Those upgrades are for a different vulnerability in OpenSSH.
Oh yeah, you're right.
Just got an openssl upgrade pushed by Ubuntu 12.04 as well.