Results 1 to 4 of 4

Thread: Heartbleed patch

  1. #1

    Default Heartbleed patch

    Hi,

    just for the record and to put my mind at rest, can anyone explain how come the patch to fix the Heartbleed security vulnerability in oS 12.3 & 13.1 is for version 1.0.1e, when the bug info (and this) clearly states that the vulnerability affects versions prior to 1.0.1g? Does the patch render 1.0.1e as secure as 1.0.1g?

    thanks - JS

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,681
    Blog Entries
    3

    Default Re: Heartbleed patch

    Quote Originally Posted by jack_sprat View Post
    Hi,

    just for the record and to put my mind at rest, can anyone explain how come the patch to fix the Heartbleed security vulnerability in oS 12.3 & 13.1 is for version 1.0.1e, when the bug info (and this) clearly states that the vulnerability affects versions prior to 1.0.1g? Does the patch render 1.0.1e as secure as 1.0.1g?

    thanks - JS
    It is pretty common for most linux distros to "backport" the patch. They take the changes made to fix the bug, and turn them into a patch to the installed version. This is less disruptive. Installing a whole new version of openssl might require recompiling everything that uses openssl libraries. Backporting the patch only requires updating the dynamic libraries and restarting the other software (or rebooting) so that it uses the updated library.

    Assuming that the backporting was done correctly, 1.0.1e should be fine. But it won't have other changes unrelated to the bug, that might be in 1.0.1g
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  3. #3
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,188

    Default Re: Heartbleed patch

    nrickert already explained why it's still "e" although it's been fixed - because it was backported code.

    However, to put your mind at ease you can use this awesome SSL testing tool to check your server if it's a "public" one; https://www.ssllabs.com/ssltest/

    It will also give you hints as what to fix in your SSL configuration if you are so inclined (such as Cipher support, Forward secrecy and figure out if you have other configuration issues).
    .: miuku @ #opensuse @ irc.libera.chat

  4. #4

    Default Re: Heartbleed patch

    nrickert/Miuku, hi.

    message received and understood - thanks.

    JS

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •