Bananian

OpenSSL Version in repos heartbleeded

4 1748
josch  
Edited by josch at Thu Nov 13, 2014 11:13

Hi there,

I was just about to set up a openVPN server on my banana-pi (running bananian) and realized the openSSL Version from the Repositories is version 1.0.1e-2+deb7u13
  1. Package: openssl
  2. Version: 1.0.1e-2+deb7u13
  3. Installed-Size: 951
  4. Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
  5. Architecture: armhf
  6. Depends: libc6 (>= 2.13-28), libssl1.0.0 (>= 1.0.1e-2+deb7u5), zlib1g (>= 1:1.1.4)
  7. Suggests: ca-certificates
Copy the Code
which is still vulnerable for Heartbleed attacks.

Any suggestions or remarks? Are there some specific ARM repos for important security updated which are not within http://security.debian.org/ wheezy/updates ?

I am not sure what to do right now..

friendly regards ...
josch  
Edited by josch at Thu Nov 13, 2014 11:59

Guess I found out my self. There are some official releases for the next upcoming debian (called "jessie").
So one can simply add it's mirror to apt's sources-list.

Mirror-URL:
  1. deb http://ftp.de.debian.org/debian jessie main
Copy the Code
(told so here: https://packages.debian.org/jessie/armhf/openssl/download )

After adding the mirror just update apt (apt-get update) and do this:
  1. apt-get install openssl
  2. apt-get install openvpn
  3. apt-get install libssl1.0.0
Copy the Code
the libssl seems to be important because otherwise the newer openssl version obviously still works with the old ssl library which is still Heartbleed vulnerable.

Before updating libssl1.0.0 I got this:
  1. 1 root@bananapi ~ # openssl version                                                                                                                                                         
  2. OpenSSL 1.0.1j 15 Oct 2014 (Library: OpenSSL 1.0.1e 11 Feb 2013)
Copy the Code
after the update process (using the "jessie" sources) I got a none-Heartbleed version on my system:
  1. root@bananapi ~ # openssl version
  2. OpenSSL 1.0.1j 15 Oct 2014
Copy the Code
hope this is going to fix the issue

josch  
bullet64 replied at Thu Nov 13, 2014 11:58
I think it's safe.

https://www.debian.org/security/2014/dsa-2896

wow... awesome... all that work for nothing.

Thank you anyway

bullet64 replied at Thu Nov 13, 2014 11:58
I think it's safe.

https://www.debian.org/security/2014/dsa-2896

It IS safe. I highly recommend you not to add any Jessie repositories.

You have to log in before you can reply Login | Sign Up

Points Rules