Question

4

Heartbleed: dist-upgrade didn't fix it

rated 0 times [ 4] [ 0] / answers: 1 / hits: 2904 / 2 Years ago, mon, december 27, 2021, 8:21:20

Sorry for my bad English.

I'm running Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-60-virtual x86_64).

In an attempt to fix Heartbleed, I first ran apt-get update, then apt-get dist-upgrade.

It went all OK, so I thought that that security issue was fixed.

But openssl version -a outputs:

OpenSSL 1.0.1e 11 Feb 2013

built on: Sat Feb  1 22:14:33 UTC 2014

platform: debian-amd64

options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) 

compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM



OPENSSLDIR: "/usr/lib/ssl"

I have already rebooted the server (I had to replace sysvinit with upstart after dist-upgrade, otherwise I couldn't reboot).

After rebooting, apt-get dist-upgrade outputs the following:

The following packages will be REMOVED:

  upstart

The following NEW packages will be installed:

  sysvinit

The following packages have been kept back:

  libnih-dbus1 libnih1

0 upgraded, 1 newly installed, 1 to remove and 2 not upgraded.

Well, according to that output, there is nothing ssl-related left to upgrade. But openssl version -a keeps outputting the same old February build.

So, my question is why is my system still running the old build of openssl?

Thanks for your help.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

lowstonnequ

Add To Favorites

Follow

Total Points: 279

Total Questions: 125

Total Answers: 123

Location: Finland

Member since Sun, Dec 5, 2021

2 Years ago

lowstonnequ questions

1 Battery indicator/upower not working since 22.10 upgrade

Wed, Oct 26, 22, 14:40, 2 Years ago

1 Keyboard ALT + SHIFT doesn't work

Tue, Feb 28, 23, 01:39, 1 Year ago

1 wifi not working after kernel update to 5.13.0-27-generic in Ubuntu 20.04

Sat, Mar 12, 22, 18:48, 2 Years ago

1 How do I handle windows that are too tall?

Wed, Dec 1, 21, 23:44, 2 Years ago

1 Gnome extensions under Ubuntu 21.10

Thu, Apr 21, 22, 13:13, 2 Years ago

View All

answered 2 Years ago oreera · Accepted Answer

I've managed to fix the issue!

For some reason, apt-get update wasn't getting aware of the new security packages (although Ubuntu security repository is correctly listed in my sources.list).

What I had to do was to manually download the following deb files, and then install them manually.

List of packages I had to download and install

64 Bit

openssl: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.12_amd64.deb

libssl1.0.0: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.0.0_1.0.1-4ubuntu5.12_amd64.deb

libssl-dev: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_1.0.1-4ubuntu5.12_amd64.deb

32 Bit

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.12_i386.deb

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_1.0.1c-3ubuntu2.7_i386.deb

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.0.0_1.0.1c-3ubuntu2.7_i386.deb

The following command will install a manually downloaded deb package:

sudo dpkg -i package_name.deb

After installing all the 3 packages and rebooting the server, the problem is now fixed!

(Output of http://filippo.io/Heartbleed/.)