With all the news about the Heartbleed vulnerability in the OpenSSL package lately I figured that I should make sure my servers were patched. In looking at the version I have installed it seemed I was indeed running one of the affected versions.
$ openssl version
OpenSSL 1.0.1 14 Mar 2012
I was concerned and confused because I was sure that I had made all the recent security updates which I did confirm with:
# apt-get dist-upgrade
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
So I needed to understand how I could be running all the latest updates but still have version of a package that was in the range of known impacted versions. This led me to some “apt” tools I was not previously aware of.
# apt-get changelog openssl
openssl (1.0.1-4ubuntu5.12) precise-security; urgency=medium
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
– debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
– CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
– debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
– CVE-2014-0160
— Marc Deslauriers Mon, 07 Apr 2014 15:45:14 -0400
You can see above in the output of “apt-get changelog openssl”, the comment in bold shows that OpenSSL on my system has indeed been patched. I always love it when I learn something new and useful about how the Debian system works.