Re: Why still heartbleed on Wheezy
On 20/04/14 06:39, Steve Litt wrote: Hi all, I installed Wheezy on my backup server, then did this: apt-get update apt-get upgrade root@bupserv:/backupserver/stevebup# openssl version OpenSSL 1.0.1e 11 Feb 2013 root@bupserv:/backupserver/stevebup# Here's my /etc/apt/sources.list: == # # deb cdrom:[Debian GNU/Linux 7.4.0 _Wheezy_ - Official amd64 NETINST Binary-1 20140208-13:45]/ wheezy main #deb cdrom:[Debian GNU/Linux 7.4.0 _Wheezy_ - Official amd64 NETINST Binary-1 20140208-13:45]/ wheezy main deb http://ftp.us.debian.org/debian/ wheezy main non-free contrib deb-src http://ftp.us.debian.org/debian/ wheezy main non-free contrib deb http://security.debian.org/ wheezy/updates main contrib non-free deb-src http://security.debian.org/ wheezy/updates main contrib non-free deb http://security.debian.org/debian-security wheezy/updates main # wheezy-updates, previously known as 'volatile' deb http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free deb-src http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free == Any ideas how I should proceed? By checking the revision of the release, rather than just the internal version number. dom@ozzy:~$ dpkg-query -W openssl openssl 1.0.1e-2+deb7u6 The deb7u6 is the important bit. The heartbleed bug only exists in deb7u4 and earlier. -- Dom -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/535369f4@rpdom.net
Re: Why still heartbleed on Wheezy SOLVED
On Sun, 20 Apr 2014 05:57:57 + Jimmy Wu jimmywu...@gmail.com wrote: On Sun, Apr 20, 2014 at 5:39 AM, Steve Litt sl...@troubleshooters.com wrote: Hi all, I installed Wheezy on my backup server, then did this: apt-get update apt-get upgrade root@bupserv:/backupserver/stevebup# openssl version OpenSSL 1.0.1e 11 Feb 2013 root@bupserv:/backupserver/stevebup# Wheezy is the current stable so they aren't going to update an important library to a new upstream version. Instead they backport security patches to the current version. Check your package version. dpkg -l openssl According to the changelog [1], wheezy openssl got the heartbleed patch on 1.0.1e-2+deb7u5 on April 7. The latest version as of this email is 1.0.1e-2+deb7u7. [1] http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.1e-2+deb7u7_changelog Thanks Jimmy, Yes! Once I checked it with the dpkg command, it told me 1.0.1e-2+deb7u7, which is the documented fixed version for Wheezy. So my new backup server is Heartbleed free, and I can go on to other things. Thanks for this info! SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140420025235.604c2751@mydesk
Re: Why still heartbleed on Wheezy SOLVED AGAIN
On Sun, 20 Apr 2014 07:32:20 +0100 Dom to...@rpdom.net wrote: On 20/04/14 06:39, Steve Litt wrote: Hi all, I installed Wheezy on my backup server, then did this: apt-get update apt-get upgrade root@bupserv:/backupserver/stevebup# openssl version OpenSSL 1.0.1e 11 Feb 2013 root@bupserv:/backupserver/stevebup# Here's my /etc/apt/sources.list: == # # deb cdrom:[Debian GNU/Linux 7.4.0 _Wheezy_ - Official amd64 NETINST Binary-1 20140208-13:45]/ wheezy main #deb cdrom:[Debian GNU/Linux 7.4.0 _Wheezy_ - Official amd64 NETINST Binary-1 20140208-13:45]/ wheezy main deb http://ftp.us.debian.org/debian/ wheezy main non-free contrib deb-src http://ftp.us.debian.org/debian/ wheezy main non-free contrib deb http://security.debian.org/ wheezy/updates main contrib non-free deb-src http://security.debian.org/ wheezy/updates main contrib non-free deb http://security.debian.org/debian-security wheezy/updates main # wheezy-updates, previously known as 'volatile' deb http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free deb-src http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free == Any ideas how I should proceed? By checking the revision of the release, rather than just the internal version number. dom@ozzy:~$ dpkg-query -W openssl openssl 1.0.1e-2+deb7u6 The deb7u6 is the important bit. The heartbleed bug only exists in deb7u4 and earlier. Thanks Dom, This was indeed the issue: root@bupserv:/etc/apt# dpkg-query -W openssl openssl 1.0.1e-2+deb7u7 root@bupserv:/etc/apt# SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140420025505.415c29fb@mydesk
Why still heartbleed on Wheezy
Hi all, I installed Wheezy on my backup server, then did this: apt-get update apt-get upgrade root@bupserv:/backupserver/stevebup# openssl version OpenSSL 1.0.1e 11 Feb 2013 root@bupserv:/backupserver/stevebup# Here's my /etc/apt/sources.list: == # # deb cdrom:[Debian GNU/Linux 7.4.0 _Wheezy_ - Official amd64 NETINST Binary-1 20140208-13:45]/ wheezy main #deb cdrom:[Debian GNU/Linux 7.4.0 _Wheezy_ - Official amd64 NETINST Binary-1 20140208-13:45]/ wheezy main deb http://ftp.us.debian.org/debian/ wheezy main non-free contrib deb-src http://ftp.us.debian.org/debian/ wheezy main non-free contrib deb http://security.debian.org/ wheezy/updates main contrib non-free deb-src http://security.debian.org/ wheezy/updates main contrib non-free deb http://security.debian.org/debian-security wheezy/updates main # wheezy-updates, previously known as 'volatile' deb http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free deb-src http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free == Any ideas how I should proceed? Thanks, SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140420013924.3223f145@mydesk
Re: Why still heartbleed on Wheezy
On Sun, Apr 20, 2014 at 5:39 AM, Steve Litt sl...@troubleshooters.com wrote: Hi all, I installed Wheezy on my backup server, then did this: apt-get update apt-get upgrade root@bupserv:/backupserver/stevebup# openssl version OpenSSL 1.0.1e 11 Feb 2013 root@bupserv:/backupserver/stevebup# Wheezy is the current stable so they aren't going to update an important library to a new upstream version. Instead they backport security patches to the current version. Check your package version. dpkg -l openssl According to the changelog [1], wheezy openssl got the heartbleed patch on 1.0.1e-2+deb7u5 on April 7. The latest version as of this email is 1.0.1e-2+deb7u7. [1] http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.1e-2+deb7u7_changelog Cheers, Jimmy -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/can0j2y6pwuu4nrgcvu6be7p+1xmuqmhs+jdcamwwkjhb+px...@mail.gmail.com
