Re: Can't patch Heartbleed bug?

2014-04-13 Thread Andrei POPESCU
On Vi, 11 apr 14, 14:19:29, Reco wrote: 'aptitude changelog' won't do one any good unless one has some deb-src entries in sources.list. That's a bug in aptitude[1], the changelog downloading doesn't have anything to do with source packages. [1]

Re: Can't patch Heartbleed bug?

2014-04-11 Thread Florian Ernst
On Fri, Apr 11, 2014 at 08:33:38AM +1000, Charlie wrote: I'm already to g on Jessie. Is that good? openssl: Installed: 1.0.1g-2 Candidate: 1.0.1g-2 Version table: *** 1.0.1g-2 0 This is good as in if you have restarted all processes using vulnerable parts of OpenSSL after updating

Re: Can't patch Heartbleed bug?

2014-04-11 Thread Florian Ernst
On Thu, Apr 10, 2014 at 10:14:59AM -0400, Dan Ritter wrote: On Thu, Apr 10, 2014 at 03:54:38PM +0200, Florian Ernst wrote: On Thu, Apr 10, 2014 at 09:18:00AM -0400, Brad Alexander wrote: I don't believe that Wheezy was vulnerable to Heartbleed. It was only the 1.0.1f (committed 31 Dec

Re: Can't patch Heartbleed bug?

2014-04-11 Thread andre
I'm already to g on Jessie. Is that good? openssl: Installed: 1.0.1g-2 Candidate: 1.0.1g-2 Version table: *** 1.0.1g-2 0 This is good as in if you have restarted all processes using vulnerable parts of OpenSSL after updating all OpenSSL packages then you are not vulnerable anymore by

Re: Can't patch Heartbleed bug?

2014-04-11 Thread D.E. Bil
On Fri, Apr 11, 2014 at 08:33:38AM +1000, Charlie wrote: I'm already to g on Jessie. Is that good? openssl: Installed: 1.0.1g-2 Candidate: 1.0.1g-2 Version table: *** 1.0.1g-2 0 Am I the only one utilizing aptitude changelog package? -- debil :wq -- To UNSUBSCRIBE, email to

Re: Can't patch Heartbleed bug?

2014-04-11 Thread Reco
Hi. On Fri, Apr 11, 2014 at 01:00:09PM +0300, D.E. Bil wrote: On Fri, Apr 11, 2014 at 08:33:38AM +1000, Charlie wrote: I'm already to g on Jessie. Is that good? openssl: Installed: 1.0.1g-2 Candidate: 1.0.1g-2 Version table: *** 1.0.1g-2 0 Am I the only one utilizing

Re: Can't patch Heartbleed bug?

2014-04-11 Thread Darac Marjal
On Fri, Apr 11, 2014 at 02:19:29PM +0400, Reco wrote: Hi. On Fri, Apr 11, 2014 at 01:00:09PM +0300, D.E. Bil wrote: On Fri, Apr 11, 2014 at 08:33:38AM +1000, Charlie wrote: I'm already to g on Jessie. Is that good? openssl: Installed: 1.0.1g-2 Candidate: 1.0.1g-2

Re: Can't patch Heartbleed bug?

2014-04-11 Thread D.E. Bil
On Fri, Apr 11, 2014 at 02:19:29PM +0400, Reco wrote: Hi. On Fri, Apr 11, 2014 at 01:00:09PM +0300, D.E. Bil wrote: On Fri, Apr 11, 2014 at 08:33:38AM +1000, Charlie wrote: I'm already to g on Jessie. Is that good? openssl: Installed: 1.0.1g-2 Candidate: 1.0.1g-2

Re: Can't patch Heartbleed bug?

2014-04-11 Thread Charlie
On Fri, 11 Apr 2014 09:43:57 +0200 Florian Ernst sent: On Fri, Apr 11, 2014 at 08:33:38AM +1000, Charlie wrote: I'm already to g on Jessie. Is that good? openssl: Installed: 1.0.1g-2 Candidate: 1.0.1g-2 Version table: *** 1.0.1g-2 0 This is good as in if you have

Re: Can't patch Heartbleed bug?

2014-04-11 Thread Richard Hector
On 11/04/14 03:21, Lisi Reisz wrote: On Thursday 10 April 2014 14:57:37 Florian Ernst wrote: apt-cache policy openssl lisi@Tux-II:~$ apt-cache policy openssl Just a reminder - libssl1.0.0 is the crucial package (though openssl is important as well, but doesn't get used so much) libssl1.0.0

Can't patch Heartbleed bug?

2014-04-10 Thread Dr. Jennifer Nussbaum
I'm running Debian Wheezy 7.4 on a server in Amazon's EC2, that i installed, recently, from the official Debian AMI. I havent made any changes to the package infrastructure. I'm trying to fix the Heartbleed bug, but my system seems to think everything is up to date.  My /etc/apt/sources.list

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Erwan David
Le 2014-04-10 14:56, Dr. Jennifer Nussbaum a écrit : I'm running Debian Wheezy 7.4 on a server in Amazon's EC2, that i installed, recently, from the official Debian AMI. I havent made any changes to the package infrastructure. I'm trying to fix the Heartbleed bug, but my system seems to think

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Florian Ernst
On Thu, Apr 10, 2014 at 03:00:52PM +0200, Erwan David wrote: Le 2014-04-10 14:56, Dr. Jennifer Nussbaum a écrit : I'm running Debian Wheezy 7.4 on a server in Amazon's EC2, that i installed, recently, from the official Debian AMI. I havent made any changes to the package infrastructure. I'm

Re: Can't patch Heartbleed bug?

2014-04-10 Thread adresse-privee
Le 2014-04-10 14:56, Dr. Jennifer Nussbaum a écrit : I'm running Debian Wheezy 7.4 on a server in Amazon's EC2, that i installed, recently, from the official Debian AMI. I havent made any changes to the package infrastructure. I'm trying to fix the Heartbleed bug, but my system seems to think

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Brad Alexander
I don't believe that Wheezy was vulnerable to Heartbleed. It was only the 1.0.1f (committed 31 Dec 2011) that incorporated the vulnerable heartbeat feature. My wheezy box has 1.0.1e: ii libssl1.0.0:i386 1.0.1e-2+deb7u6 i386 SSL shared libraries ii openssl

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Jeremy T. Bouse
On 10.04.2014 08:56, Dr. Jennifer Nussbaum wrote: I'm running Debian Wheezy 7.4 on a server in Amazon's EC2, that i installed, recently, from the official Debian AMI. I havent made any changes to the package infrastructure. I'm trying to fix the Heartbleed bug, but my system seems to think

Re: Can't patch Heartbleed bug?

2014-04-10 Thread David Glover
Debian patched the wheezy version of OpenSSL without changing the version number. Run: dpkg-query -l openssl You should see version 1.0.1e-2+deb7u5. The +deb7u5 indicates the heartbleed patch is installed. -- David Glover | http://www.davidglover.org/contact PGP key 5518C7DE | Amateur

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Lisi Reisz
On Thursday 10 April 2014 14:18:00 Brad Alexander wrote: I don't believe that Wheezy was vulnerable to Heartbleed. It was only the 1.0.1f (committed 31 Dec 2011) that incorporated the vulnerable heartbeat feature. My wheezy box has 1.0.1e: ii libssl1.0.0:i386

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Florian Ernst
On Thu, Apr 10, 2014 at 09:18:00AM -0400, Brad Alexander wrote: I don't believe that Wheezy was vulnerable to Heartbleed. It was only the 1.0.1f (committed 31 Dec 2011) that incorporated the vulnerable heartbeat feature. My wheezy box has 1.0.1e: [...] So you shouldn't have anything to worry

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Florian Ernst
On Thu, Apr 10, 2014 at 02:49:27PM +0100, Lisi Reisz wrote: lisi@Tux-II:~$ dpkg-query -l openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Dr. Jennifer Nussbaum
On Thursday, April 10, 2014 9:01 AM, Erwan David er...@rail.eu.org wrote: Le 2014-04-10 14:56, Dr. Jennifer Nussbaum a écrit : I'm running Debian Wheezy 7.4 on a server in Amazon's EC2, that i installed, recently, from the official Debian AMI. I havent made any changes to the package

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Dr. Jennifer Nussbaum
On Thursday, April 10, 2014 9:30 AM, David Glover m...@davidglover.org wrote: Debian patched the wheezy version of OpenSSL without changing the version number. Run: dpkg-query -l openssl You should see version 1.0.1e-2+deb7u5. The +deb7u5 indicates the heartbleed patch is

Re: Can't patch Heartbleed bug?

2014-04-10 Thread andre
On 2014-04-10 15:49, Lisi Reisz wrote: On Thursday 10 April 2014 14:18:00 Brad Alexander wrote: I don't believe that Wheezy was vulnerable to Heartbleed. It was only the 1.0.1f (committed 31 Dec 2011) that incorporated the vulnerable heartbeat feature. My wheezy box has 1.0.1e: ii

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Brad Alexander
On Thu, Apr 10, 2014 at 9:54 AM, Florian Ernst florian_er...@gmx.netwrote: This is not accurate, OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable. Please see https://www.debian.org/security/2014/dsa-2896 as well as http://heartbleed.com/ Thanks Flo, That's one of the problems with

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Dan Ritter
On Thu, Apr 10, 2014 at 03:54:38PM +0200, Florian Ernst wrote: On Thu, Apr 10, 2014 at 09:18:00AM -0400, Brad Alexander wrote: I don't believe that Wheezy was vulnerable to Heartbleed. It was only the 1.0.1f (committed 31 Dec 2011) that incorporated the vulnerable heartbeat feature. My

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Lisi Reisz
On Thursday 10 April 2014 14:57:37 Florian Ernst wrote: Try a wider window, or simply COLUMNS=200 dpkg-query -l openssl, or use apt-cache policy openssl. I'm glad that you are not partially sighted. Lucky you. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Lisi Reisz
On Thursday 10 April 2014 14:57:37 Florian Ernst wrote: apt-cache policy openssl lisi@Tux-II:~$ apt-cache policy openssl openssl: Installed: 1.0.1e-2+deb7u6 Candidate: 1.0.1e-2+deb7u6 Version table: *** 1.0.1e-2+deb7u6 0 500 http://security.debian.org/ wheezy/updates/main amd64

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Lisi Reisz
On Thursday 10 April 2014 16:18:58 Lisi Reisz wrote: On Thursday 10 April 2014 14:57:37 Florian Ernst wrote: Try a wider window, or simply COLUMNS=200 dpkg-query -l openssl, or use apt-cache policy openssl. I'm glad that you are not partially sighted. Lucky you. Sorry, everyone. :-( If I

Re: Can't patch Heartbleed bug?

2014-04-10 Thread Charlie
On Thu, 10 Apr 2014 15:57:37 +0200 Florian Ernst sent: Try a wider window, or simply COLUMNS=200 dpkg-query -l openssl, or use apt-cache policy openssl. HTH, Flo I'm already to g on Jessie. Is that good? openssl: Installed: 1.0.1g-2 Candidate: 1.0.1g-2 Version table: *** 1.0.1g-2 0