[Pkg-openssl-devel] Bug#743883: Bug#743883: Is it realy fixed?
Kurt Roeckx
kurt at roeckx.be
Fri Apr 11 07:14:57 UTC 2014
On Fri, Apr 11, 2014 at 08:40:17AM +0200, Jerzy Sobczyk wrote:
> Hello!
>
> After reading the advisory DSA-2896-1 openssl -- security update
> I have upgraded openssl on my servers to 1.0.1e-2+deb7u6
> and tested them again with:
> http://filippo.io/Heartbleed/#example.server.domain
> http://rehmann.co/projects/heartbeat/?domain=example.server.domain&port=443&submit=Submit
> And still I get "IS VULNERABLE" results!
> Does it mean that tests are wrong or the package is not fixed?
>
> After a while I have discovered that upgrading openssl package is not enough!
> It is necessary to upgrade also packages (may be too many):
> libcrypto1.0.0-udeb
> libssl-dev
> libssl-doc
> libssl1.0.0
> libssl1.0.0-dbg
> IT SHOULD BE WRITTEN IN THE ADVISORY!!!!
> Alternatively (better) openssl package should require
> newer versions of necessary libraries.
You need to udpate libssl1.0.0, it has always been written in the
advisory.
Kurt
More information about the Pkg-openssl-devel
mailing list