Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

On my CentOS boxes I ran 'yum list | grep openssl'


This is the standard command:

  $ openssl version

  > OpenSSL 1.0.1f 6 Jan 2014


@stormbrew is correct about ubuntu, use -a or -v -b

    openssl version -v -b

    OpenSSL 1.0.1 14 Mar 2012
    built on: Wed Jan  8 20:45:51 UTC 2014


I'm totally confused by this. I'm running ubuntu LTS 12.04 and did

    sudo aptitude update
    sudo aptitude upgrade openssl
and then ran

    openssl version -a
and got the same results as you. How can it be built on January 8th if the patch was just made today?

[EDIT] running

    sudo aptitude upgrade
upgraded properly and now I'm getting a version that was compiled earlier today. I'm guessing I needed to update another package as well. Probably `libssl`?


upgrade will work because it updates libssl1.0.0 which is the package you want upgraded :) Openssl is the command line package and libssl1.0.0 is the library. i was able to upgrade openssl without upgrading libssl1.0.0.

  ben@ip-10-0-0-76:~$ dpkg -s libssl1.0.0 |grep Version
  Version: 1.0.1e-3ubuntu1

  ben@ip-10-0-0-76:~$ dpkg -s openssl |grep Version
  Version: 1.0.1e-3ubuntu1

  ben@ip-10-0-0-76:~$ sudo apt-get install openssl
  ...
  ben@ip-10-0-0-76:~$ dpkg -s libssl1.0.0 |grep Version
  Version: 1.0.1e-3ubuntu1

  ben@ip-10-0-0-76:~$ dpkg -s openssl |grep Version
  Version: 1.0.1e-3ubuntu1.2

  ben@ip-10-0-0-76:~$ openssl version -a
  OpenSSL 1.0.1e 11 Feb 2013
  built on: Mon Jul 15 12:44:45 UTC 2013
  platform: debian-amd64
  options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
  compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
  OPENSSLDIR: "/usr/lib/ssl"

  ben@ip-10-0-0-76:~$ sudo apt-get install libssl1.0.0

  ben@ip-10-0-0-76:~$ dpkg -s libssl1.0.0 |grep Version
  Version: 1.0.1e-3ubuntu1.2

  ben@ip-10-0-0-76:~$ openssl version -a
  OpenSSL 1.0.1e 11 Feb 2013
  built on: Mon Apr  7 20:33:19 UTC 2014
  platform: debian-amd64
  options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
  compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
  OPENSSLDIR: "/usr/lib/ssl"
i wonder how many people will do apt-get update openssl and assume they have fixed it


Thank you. That makes more sense now.

I'm guessing that tons of people will run into this. I bet a blog post would get you some traffic... :)


The package is called libssl1.0.0 -- it holds the shared libraries, while the openssl package contains utilities.


As far as I can tell, on ubuntu this reports "OpenSSL 1.0.1 14 Mar 2012" for all ubuntu versions, including the fixed one.


With "openssl version -a" you can see the built time.

  root@x ~ # openssl version -a
  OpenSSL 1.0.1 14 Mar 2012
  built on: Mon Apr  7 20:33:29 UTC 2014


Same here.

I got a "security warning" update when I logged in to the server (good), ran apt-get and installed, did openssl version, got the string as noted above (which seemed just a tad out of date).

So... I built and installed from source, and got... the same string.

Annoying.


My Linux Mint machine (based on 13.10) went from 1.0.1e Feb 2014 to 1.01 Mar 2012 int the last 2 hours, so that's definitely new.


I think someone screwed up on the version string big time.


try: dpkg -s openssl




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: