[Pkg-openssl-devel] Bug#743883: Is it realy fixed?
Jerzy Sobczyk
J.Sobczyk at elka.pw.edu.pl
Fri Apr 11 06:40:17 UTC 2014
Hello!
After reading the advisory DSA-2896-1 openssl -- security update
I have upgraded openssl on my servers to 1.0.1e-2+deb7u6
and tested them again with:
http://filippo.io/Heartbleed/#example.server.domain
http://rehmann.co/projects/heartbeat/?domain=example.server.domain&port=443&submit=Submit
And still I get "IS VULNERABLE" results!
Does it mean that tests are wrong or the package is not fixed?
After a while I have discovered that upgrading openssl package is not enough!
It is necessary to upgrade also packages (may be too many):
libcrypto1.0.0-udeb
libssl-dev
libssl-doc
libssl1.0.0
libssl1.0.0-dbg
IT SHOULD BE WRITTEN IN THE ADVISORY!!!!
Alternatively (better) openssl package should require
newer versions of necessary libraries.
With Best Regards,
Jerzy Sobczyk
--
------------------ Institute of Control and Computation Engineering ______
Jerzy Sobczyk Warsaw University of Technology /_/ |
J.Sobczyk at ia.pw.edu.pl Nowowiejska 15/19 / / /| |
http://www.ia.pw.edu.pl/~jurek 00-665 Warsaw, POLAND / / _>| |
tel. +48 22 234 7863 _____________ fax. +48 22 8253719 ________ /_/_/ |_|
More information about the Pkg-openssl-devel
mailing list