Hearbleed and OpenSSL 1.0.1c

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Hearbleed and OpenSSL 1.0.1c

bonne
Just want to make sure if I get this right.

Patches 007 and 008 (OpenSSL-fix) for 5.4 has been run.

OpenBSD 5.5 install source code patch branch run and compiled.

On both setup I get this:

# openssl version -a
OpenSSL 1.0.1c 10 May 2012
built on: date not available
platform: information not available
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: information not available
OPENSSLDIR: "/etc/ssl"

As far as I understand, OpenSSL 1.0.1g is needed in order to be home same
reg. heartbleed.

I know that OpenBSD's OpenSSL is a fork, and this is maybe where the
confussion comes in... but can someone clarify for me the above?

Regards, Lars.

Reply | Threaded
Open this post in threaded view
|

Re: Hearbleed and OpenSSL 1.0.1c

Jeremie Courreges-Anglas-2
Lars Bonnesen <[hidden email]> writes:

> Just want to make sure if I get this right.
>
> Patches 007 and 008 (OpenSSL-fix) for 5.4 has been run.
>
> OpenBSD 5.5 install source code patch branch run and compiled.
>
> On both setup I get this:
>
> # openssl version -a
> OpenSSL 1.0.1c 10 May 2012
> built on: date not available
> platform: information not available
> options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int)
> blowfish(idx)
> compiler: information not available
> OPENSSLDIR: "/etc/ssl"
>
> As far as I understand, OpenSSL 1.0.1g is needed in order to be home same
> reg. heartbleed.
>
> I know that OpenBSD's OpenSSL is a fork, and this is maybe where the
> confussion comes in... but can someone clarify for me the above?

The patches you applied are just that, patches that fix the problem
they're supposed to fix.  There is no reason to change the OpenSSL
version in such a patch, it would be a lie.

This is not related to the fork, which happened in -current and does not
affect 5.5.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: Hearbleed and OpenSSL 1.0.1c

Reyk Floeter-2
In reply to this post by bonne
Hi,

I've seen some typos of "Heartbleed" but "Hearbleed" is a good one :)

On Fri, May 02, 2014 at 12:20:55PM +0200, Lars Bonnesen wrote:
> As far as I understand, OpenSSL 1.0.1g is needed in order to be home same
> reg. heartbleed.
>
> I know that OpenBSD's OpenSSL is a fork, and this is maybe where the
> confussion comes in... but can someone clarify for me the above?
>

Anyway, the common process in -stable is to fix bugs and not to
upgrade to newer versions.  We try to keep the patches as small as
possible in there to avoid any side-effects, API, configuration or ABI
changes.

(You can even see this happened elsewhere like in Debian-stable where
they fixed Heartbleed in 1.0.1e instead of upgrading to 1.0.1g)

Reyk