Users are checking the OpenSSL version in Ubuntu and getting the wrong conclusion

Apr 15, 2014 15:40 GMT  ·  By

The Heartbleed vulnerability that was discovered just last week took the world by surprise, but most of the affected services and operating systems have been patched. Unfortunately, some of the Ubuntu users haven't understood how the patching process works and have started to flood the forums and other social media with the message that Ubuntu is vulnerable.

Before the OpenSSL issues has become known to the general public, most of the Linux distributions affected by the issue were patched. Most of the media reported on the problem on April 8, but the patch for the Heartbleed vulnerability was already in place on April 7. This is how the security notification looks like in Ubuntu.

“Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS heartbeat extension. An attacker could use this issue to obtain up to 64k of memory contents from the client or server, possibly leading to the disclosure of private keys and other sensitive information. (CVE-2014-0160).”

“Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly handled timing during swap operations in the Montgomery ladder implementation. An attacker could use this issue to perform side-channel attacks and possibly recover ECDSA nonces. (CVE-2014-0076).”

You might think that this is the end of it, but it's not. In the last couple of days, an increasing number of posts have been posted on various channels, stating that Ubuntu wasn't patched against the exploit.

The main method recommended by to fix the problem was to upgrade the OpenSSL package on your system to a newer one, 1.0.1g. The OpenSSL 1.0.1f package was deemed vulnerable.

Now users have been running the following command in a terminal to see what version of OpenSSL they have installed:

openssl version

The result in Ubuntu is 1.0.1f, which, of course, prompted the messages about Ubuntu being vulnerable. What some users don't know is that Canonical doesn't always upgrade to a new version of a package. They choose to implement just the patch and the version number remains the same. Technically, the OpenSSL version number in Ubuntu is 1.0.1f-1ubuntu2, but the version itself doesn't mean anything.

Ubuntu users need to know that their operating systems are safe and that the Heartbleed vulnerability was corrected. Forget about version numbers and stop trying to get to manually install OpenSSL 1.0.1g. You might create other problems within the system by circumventing the package provided by Canonical.