9

I've just learned about the Heartbleed Bug (OpenSSL leaking private keys), and based on the website, heartbleed.com, it says that OpenSSL 1.0.1 through version f is affected. However it leaves off Ubuntu 13.04 off the affected list AND the repositories do not have an update to it.

Let me paste some information here:

demortes@vps:/$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 13.04
Release:        13.04
Codename:       raring

AND

demortes@vps:/$ openssl
OpenSSL> version
OpenSSL 1.0.1c 10 May 2012
OpenSSL>

I'm seeing that we're not affected even though I have 1.0.1c installed... is this accurate. If not, how can I install OpenSSL 1.0.1g with package management now? If it is accurate... why?

Demortes
  • 116
  • You are running an end-of-life operating system and hence you are not supported. As per community guidelines, end-of-life operating systems are off-topic here on Ask Ubuntu and as such I have closed the question. – fossfreedom Apr 08 '14 at 07:03
  • 1
    ... and yes you are affected. Upgrade to 13.10 now because this bug and many others also affect your o/s. – fossfreedom Apr 08 '14 at 07:04
  • For those that might come across this: ISPConfig has released an RC version of ISPConfig 3. Doing an OS upgrade, upgrading ISPConfig 3 and resyncing everything should fix it. Note OpenSSL is still 1.0.1e, but likely patched as seen on another thread. – Demortes Apr 08 '14 at 07:34
  • 3
    See How to patch CVE-2014-0160 in OpenSSL? — and yes, you are affected if you run any SSL server. – Gilles 'SO- stop being evil' Apr 08 '14 at 11:36
  • I am running 13.10, and I just did apt-get update and upgrade, which included openssh, but this only gets me to 1.0.1f -- why is that?

    $ ssh -V OpenSSH_6.2p2 Ubuntu-6ubuntu0.3, OpenSSL 1.0.1e 11 Feb 2013

     – MrG Apr 10 '14 at 00:33
  • 1
    It is completely absurd, given the severity of this issue, to close a question and thus deny help to a large group of people. Unflexible application of guidelines (see definition of "guideline" versus "rule") makes for a really poor community. Please consider re-opening this question. – Josh Glover Apr 10 '14 at 08:51
  • 2
    @JoshGlover - In closing this I'm just following current community guidance for non-supported versions. If you wish to discuss this, please create a Meta question. – fossfreedom Apr 10 '14 at 11:32
  • 1
    I'm in favor of opening this issue. For now, here is my answer in a comment: Download the saucy package from http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.0.0_1.0.1e-3ubuntu1.2_i386.deb (replacing "i386" with "amd64", according to your platform) and install it using dpkg -i. – Hosam Aly Apr 10 '14 at 17:47
  • The thing that stopped me from upgrading was the Apache 2 incompatibility with ISPConfig 3. At the time Heartbleed was announced, ISPConfig 3 had a beta or alpha, and has since released the update. This is no longer for an issue for me. I am now running 14.04 LTS, and should be covered without issue. – Demortes May 02 '14 at 18:11

0 Answers0