On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version
that is compromised.
Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major
versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with
openssl 1.0.1e, but they will backport stuff.
After I did an "apt-get update && apt-get install openssl" I got
package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package
is ok according to the changelog:
"aptitude changelog openssl" says:
openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart
-- Salvatore Bonaccorso <car...@debian.org> Tue, 08 Apr 2014 10:44:53
+0200
openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
A missing bounds check in the handling of the TLS heartbeat
extension
can be used to reveal up to 64k of memory to a connected client or
server.
-- Salvatore Bonaccorso <car...@debian.org> Mon, 07 Apr 2014 22:26:55
+0200
In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher,
then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
