Why don't you update? If Ubuntu says you need 5.12, and that heartbleed site says you're vulnerable, what's the problem?
I have the following installed, which was updated yesterday or today on my machine.
ii openssl 1.0.1-4ubuntu5.12
The answer given does not answer the question, and as far as the latest package for x86_64 14.04 the latest openssl package info is (if others have dif please let me know):
openssl:
Installed: 1.0.1f-1ubuntu2.3
Candidate: 1.0.1f-1ubuntu2.3
Version table:
*** 1.0.1f-1ubuntu2.3 0
500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty-updates/main amd64 Packages
500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty-security/main amd64 Packages
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
100 /var/lib/dpkg/status
1.0.1f-1ubuntu2 0
500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty/main amd64 Packages
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
I have been messing around with installing/upgrading that to version 1.0.1h from HERE with no luck yet, when I make some headway I will check back in.
*****UPDATE: So I found the solution on another thread that just needed to be updated (source post listed below):**
Below the single command line to compiling and install the last openssl version.
curl https://www.openssl.org/source/openssl-1.0.1h.tar.gz | tar xz && cd openssl-1.0.1h && sudo ./config && sudo make && sudo make install
Replace old openssl binary file by the new one via a symlink. Go to /usr/bin in terminal and run command below
sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`
Reboot and you are good to go. You may want/need to create new certificates. Here is the original thread/post I updated. SOURCE
My output after running commands and rebooting:
OpenSSL 1.0.1h 5 Jun 2014
built on: Sat Jun 14 22:43:13 EDT 2014
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
Best Answer
What is Bash?
Bash is the default interactive shell in Ubuntu. When you are interfacing with the terminal (either through the terminal emulator, over a tty, or ssh), you are generally typing commands that
bash
will read, and execute. Even if you do not use the terminal at all, you still have Bash.On Ubuntu,
/bin/sh
is not bash (it is dash). Only bash is affected by this vulnerability.How does the exploit affect me?
Bash and the OS keep track of a set of environment variables that describe the current logged-on user, where to look for programs on the hard disk, and other such functions. By crafting an environment variable with a specific structure, an attacker might be able to execute code next time Bash starts.
The attacker can set that environment variable multiple ways:
ForceCommand
option is an attack vector. Accounts whose shell isn't bash aren't affected.Once they set this variable, the next time
bash
opens for any reason, your attacker's code will be run. This is especially fearsome withsudo -s
, as it spawns bash as the super-user (an administrative user rule that has full control over your computer's data and programs). Even if you only start bash as a standard user, that user's files can be deleted.It is important to note that even if you do not use bash yourself, many programs will spawn bash by themselves as part of their operation. Even in this case, you are vulnerable. However, Ubuntu's
/bin/sh
is not bash, so only programs that explicitly invoke bash and not the default scripting shell are affected.According to Mitre:
Am I vulnerable?
Use dpkg to check your installed package version:
This will look up info on your
bash
package, and filter the output to only show you the version. The fixed versions are4.3-7ubuntu1.4
,4.2-2ubuntu2.5
, and4.1-2ubuntu3.4
.For example, I see:
and can determine that I am not vulnerable.
How do I update?
The standard update manager will offer you this update. This is a prime example of how security updates are important, no matter what OS you use or how well-maintained it is.
The USN Bulletin states that new versions have been released for Ubuntu 14.04 Trusty Tahr, 12.04 Precise Pangolin, and 10.04 Lucid Lynx. If you are not on one of these LTS versions, but are on a reasonably-recent version, you'll most likely be able to find a patched package.
First, check if you
If you are vulnerable, you should first grab the newest package lists:
The first command makes sure that you have the newest package list that includes the fixed version, and the second command installs the newest (fixed) version of bash.
While the bug only appears to come into play when bash is spawned, it's still a good idea to reboot immediately if feasible.