Heartbleed patch


just for the record and to put my mind at rest, can anyone explain how come the patch to fix the Heartbleed security vulnerability in oS 12.3 & 13.1 is for version 1.0.1e, when the bug info (and this) clearly states that the vulnerability affects versions prior to 1.0.1g? Does the patch render 1.0.1e as secure as 1.0.1g?

thanks - JS

It is pretty common for most linux distros to “backport” the patch. They take the changes made to fix the bug, and turn them into a patch to the installed version. This is less disruptive. Installing a whole new version of openssl might require recompiling everything that uses openssl libraries. Backporting the patch only requires updating the dynamic libraries and restarting the other software (or rebooting) so that it uses the updated library.

Assuming that the backporting was done correctly, 1.0.1e should be fine. But it won’t have other changes unrelated to the bug, that might be in 1.0.1g

nrickert already explained why it’s still “e” although it’s been fixed - because it was backported code.

However, to put your mind at ease you can use this awesome SSL testing tool to check your server if it’s a “public” one; https://www.ssllabs.com/ssltest/

It will also give you hints as what to fix in your SSL configuration if you are so inclined (such as Cipher support, Forward secrecy and figure out if you have other configuration issues).

nrickert/Miuku, hi.

message received and understood - thanks.