On Fri, May 16, 2014 at 02:45:24PM +0100, Arran Cudbard-Bell wrote:
On 16 May 2014, at 14:24, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Fri, May 16, 2014 at 03:52:36PM +0300, Rani Ahmed wrote:
I have from Debian wheezy repository : OpenSSL 1.0.1*e* as a binary package. Already installed on the normal location /usr/lib. => Heartbleed bug.
Debian's openssl 1.0.1e packaged has been patched, so it's not vulnerable if you're up-to-date with the latest package.
They, like other distributions, annoyingly don't update the version number. So you have to set
allow_vulnerable_openssl = yes
If you build FR from source as a package, this is all sorted for you - the allow_vulnerable_openssl is automatically set, because the built backage will depend on the correct (patched) version of openssl.
No, this had to be removed because it broke ubuntu builds.
Why? It's not as if anyone uses Ubuntu for anything serious. ;) First statement still stands, though. Distro version numbers are stupidly confusing, and not at all helpful in this situation. As long as the packages are up-to-date, whatever the version stated, the system is probably not vulnerable anyway - check distro package release notes/changelog. Cheers Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>