6

I am running Debian Wheezy. I have just upgraded my system and should have the latest version of openssl (1.0.1g which fixes a critical bug), but it does not appear to be being used.

I have run:

apt-get update
apt-get upgrade

dpkg -s openssl shows: Version: 1.0.1e-2+deb7u5

openssl version shows: OpenSSL 1.0.1e 11 Feb 2013

I have rebooted my system since upgrading. What do I need to do to get openssl using the updated version?

Gilles 'SO- stop being evil'
  • 829,060
user51279
  • 61

2 Answers2

9

Per the Debian bug tracker, the Heartbleed issue was updated in version 1.0.1e-2+deb7u5:

Marked as fixed in versions 1.0.1e-2+deb7u5. Request was from Salvatore Bonaccorso to control@bugs.debian.org. (Mon, 07 Apr 2014 21:45:14 GMT) Full text and rfc822 format available.

As such, you're running the updated version and are no longer vulnerable.

Source: https://bugs.debian.org/743883

This is common practice: Debian applied the security fix to the version that was already in the distribution.

Gilles 'SO- stop being evil'
  • 829,060
Dave Lesser
  • 91
  • Thanks for the clarification. So it's normal for the command openssl version to still report the same as it was previously? I guess I expected that would change. – user51279 Apr 08 '14 at 00:54
  • I agree that openssl version reporting the same as before isn't particularly helpful. – Dave Lesser Apr 08 '14 at 01:42
  • 1
    If you have doubts, you can check for the vulnerability using http://filippo.io/Heartbleed/ – David Wilkins Apr 08 '14 at 19:26
  • @user51279 run openssl version -b and you can see the updated build date. – burmat Apr 09 '14 at 16:50
  • Note that the "openssl" package only contains the tools etc. If you are looking for security fixes to the library you need to check the versions of the library packages (libssl1.0.0 and libcrypto1.0.0 ) – plugwash Dec 16 '15 at 14:55
2

The upstream version is 1.0.1e, which is what is being shown. What is the problem? Note the 2+deb7u5 after the dash is Debian-specific.

Faheem Mitha
  • 35,108