<div dir="ltr">ditto with fedora. The patched version is 1.0.1e-37.f19.1 <- it's the .1 that matters here.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 16, 2014 at 10:34 AM, Beddingfield, Allen <span dir="ltr"><<a href="mailto:allen@ua.edu" target="_blank">allen@ua.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You can't necessarily go by the version #, though. For example, Red Hat backported the fix into the version they shipped with the OS, instead of incrementing the version #.<br>
Allen B.<br>
<div class="">--<br>
Allen Beddingfield<br>
Systems Engineer<br>
The University of Alabama<br>
<br>
</div>________________________________________<br>
From: <a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [<a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a>] on behalf of Jay Lozier [<a href="mailto:jslozier@gmail.com">jslozier@gmail.com</a>]<br>
Sent: Wednesday, April 16, 2014 9:32 AM<br>
To: <a href="mailto:ale@ale.org">ale@ale.org</a><br>
Subject: Re: [ale] OpenSSL Broken, Upgrade Now<br>
<div class="HOEnZb"><div class="h5"><br>
Hi<br>
<br>
I believe the patched version is OpenSSL 1.0.1g 7 Apr 2014<br>
<br>
Jay<br>
On 04/16/2014 10:24 AM, Paul Cartwright wrote:<br>
> I ran that and also got the same:<br>
> openssl<br>
> OpenSSL> version<br>
> OpenSSL 1.0.1e-fips 11 Feb 2013<br>
><br>
> openssl.x86_64 1:1.0.1e-37.fc20.1 @updates<br>
> openssl-libs.i686 1:1.0.1e-37.fc20.1 @updates<br>
> openssl-libs.x86_64 1:1.0.1e-37.fc20.1 @update<br>
><br>
><br>
> but I just got an updated openssl recently..<br>
>><br>
>> Yes and it is using the affected version. You need to patch.<br>
>><br>
>> You can figure out your version of openssl by:<br>
>><br>
>> Typing “openssl”<br>
>><br>
>> At prompt type “version”.<br>
>><br>
>> *From:*<a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [mailto:<a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a>] *On Behalf Of<br>
>> *Jim Kinney<br>
>> *Sent:* Wednesday, April 16, 2014 8:38 AM<br>
>> *To:* Atlanta Linux Enthusiasts<br>
>> *Subject:* Re: [ale] OpenSSL Broken, Upgrade Now<br>
>><br>
>> If I run ssh -v user@host I see:<br>
>><br>
>> OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013<br>
>> debug1: Reading configuration data /etc/ssh/ssh_config<br>
>> debug1: /etc/ssh/ssh_config line 51: Applying options for *<br>
>> ...<br>
>><br>
>> So is OpenSSH _using_ OpenSSL for encryption processes?<br>
>><br>
>> On Tue, Apr 15, 2014 at 1:07 PM, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a><br>
>> <mailto:<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>>> wrote:<br>
>><br>
>> Heartbleed bug also affects android phones with Jelly Bean version<br>
>><br>
>> <a href="http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows" target="_blank">http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows</a><br>
>><br>
>> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik<br>
>> <<a href="mailto:david@systemoverlord.com">david@systemoverlord.com</a> <mailto:<a href="mailto:david@systemoverlord.com">david@systemoverlord.com</a>>> wrote:<br>
>><br>
>> TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider<br>
>> replacing keys. Not as bad as Debian OpenSSL bug, but worse than<br>
>> "goto fail;".<br>
>><br>
>> "The Heartbleed Bug is a serious vulnerability in the popular<br>
>> OpenSSL cryptographic software library. This weakness allows<br>
>> stealing the information protected, under normal conditions, by<br>
>> the SSL/TLS encryption used to secure the Internet. SSL/TLS<br>
>> provides communication security and privacy over the Internet for<br>
>> applications such as web, email, instant messaging (IM) and some<br>
>> virtual private networks (VPNs).<br>
>><br>
>> The Heartbleed bug allows anyone on the Internet to read the<br>
>> memory of the systems protected by the vulnerable versions of the<br>
>> OpenSSL software. This compromises the secret keys used to<br>
>> identify the service providers and to encrypt the traffic, the<br>
>> names and passwords of the users and the actual content. This<br>
>> allows attackers to eavesdrop communications, steal data directly<br>
>> from the services and users and to impersonate services and users."<br>
>><br>
>> <a href="http://heartbleed.com" target="_blank">http://heartbleed.com</a><br>
>><br>
>> --<br>
>> David Tomaschik<br>
>> OpenPGP: 0x5DEA789B<br>
>> <a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br>
>> <a href="mailto:david@systemoverlord.com">david@systemoverlord.com</a> <mailto:<a href="mailto:david@systemoverlord.com">david@systemoverlord.com</a>><br>
>><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a> <mailto:<a href="mailto:Ale@ale.org">Ale@ale.org</a>><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>><br>
>> --<br>
>> James P. Kinney III<br>
>> /<br>
>> /Every time you stop a school, you will have to build a jail. What<br>
>> you gain at one end you lose at the other. It's like feeding a dog on<br>
>> his own tail. It won't fatten the dog.<br>
>> - Speech 11/23/1900 Mark Twain<br>
>> /<br>
>> <a href="http://heretothereideas.blogspot.com//" target="_blank">http://heretothereideas.blogspot.com//</a><br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>><br>
>> --<br>
>> James P. Kinney III<br>
>> /<br>
>> /Every time you stop a school, you will have to build a jail. What<br>
>> you gain at one end you lose at the other. It's like feeding a dog on<br>
>> his own tail. It won't fatten the dog.<br>
>> - Speech 11/23/1900 Mark Twain<br>
>> /<br>
>> <a href="http://heretothereideas.blogspot.com//" target="_blank">http://heretothereideas.blogspot.com//</a><br>
>><br>
>> Athena®, Created for the Cause™<br>
>><br>
>> Making a Difference in the Fight Against Breast Cancer<br>
>><br>
>> ---------------------------------<br>
>> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or<br>
>> confidential information and is for the sole use of the intended<br>
>> recipient(s). If you are not the intended recipient, any disclosure,<br>
>> copying, distribution, or use of the contents of this information is<br>
>> prohibited and may be unlawful. If you have received this electronic<br>
>> transmission in error, please reply immediately to the sender that<br>
>> you have received the message in error, and delete it. Thank you.<br>
>> ----------------------------------<br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
><br>
> --<br>
> Paul Cartwright<br>
> Registered Linux User #367800 and new counter #561587<br>
><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
--<br>
Jay Lozier<br>
<a href="mailto:jslozier@gmail.com">jslozier@gmail.com</a><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div>
</div>