With all the news about the Heartbleed vulnerability in the OpenSSL package lately I figured that I should make sure my servers were patched. In looking at the version I have installed it seemed I was indeed running one of the affected versions.

$ openssl version
OpenSSL 1.0.1 14 Mar 2012

I was concerned and confused because I was sure that I had made all the recent security updates which I did confirm with:

# apt-get dist-upgrade
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

So I needed to understand how I could be running all the latest updates but still have version of a package that was in the range of known impacted versions. This led me to some “apt” tools I was not previously aware of.

# apt-get changelog openssl
openssl (1.0.1-4ubuntu5.12) precise-security; urgency=medium

* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
– debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
– CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
– debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
– CVE-2014-0160

— Marc Deslauriers Mon, 07 Apr 2014 15:45:14 -0400

You can see above in the output of “apt-get changelog openssl”, the comment in bold shows that OpenSSL on my system has indeed been patched. I always love it when I learn something new and useful about how the Debian system works.

This is my Grandad, he is turning 93 in a few weeks. He just had carotid endarterectomy 12 hours before this picture and here he is anxiously awaiting discharge. He looks forward to every new day.

This was outside an ice rink in Jersey City, NJ. I was there watching my 14 year old son play a high school hockey game. I have two teenage children that have never used a payphone which seems strange because I used them regularly as a kid.