Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I just installed update openssl_1.0.1e-2+deb7u5 and libssl1.0.0_1.0.1e-2+deb7u5 on debian wheezy, so it seems the fix is now available.


You need to manually restart all processes linking libssl, too.

Something like "lsof -n | grep ssl | grep DEL" can identify processes using the DELeted old version of libssl after apt-get upgrading.


Debian comes with a handy tool for this called 'checkrestart' in the debian-goodies package.

    sudo apt-get install debian-goodies
    sudo checkrestart


Thanks for the hint, I hadn't heard of this one. Should be built-in to apt, I think! :)


It seems like you are somewhat new to the Debian utopia. Here is another great package that a lot of people are not aware of `apt-listbugs.` After you say "yes" to apt-get upgrade, apt-listbugs queries bts for bugs in the packages:version you are about to install. If any bugs are found you have the chance to review the report to see if it applies to you and if it does you can have apt-listbugs pin the package so that the new buggy version is not installed. Every night at midnight (i think) apt-listbugs queries bts to see if the bugs are still relevant and unpins the package if the bug is no longer relevant. It is especially handy for testing/unstable/experimental.

By default it only prompts you for grave-serious bugs. I have been bitten a couple of times by "important" bugs so set listbugs up so that it also checks for "important" bugs. This makes it a tiny bit noisier but not enough to make me switch to the defaults. Changing the severities is easy:

   diff --git a/apt/apt.conf.d/10apt-listbugs b/apt/apt.conf.d/10apt-listbugs
   index 13b5409..857f3f4 100644
   --- a/apt/apt.conf.d/10apt-listbugs
   +++ b/apt/apt.conf.d/10apt-listbugs  @@ -4,5 +4,5 
   @@ DPkg::Pre-Install-Pkgs {"/usr/sbin/apt-listbugs apt";};
   DPkg::Tools::Options::/usr/sbin/apt-listbugs "";
   DPkg::Tools::Options::/usr/sbin/apt-listbugs::Version "3";
   DPkg::Tools::Options::/usr/sbin/apt-listbugs::InfoFD "20";
  -AptListbugs::Severities "critical,grave,serious";
  +AptListbugs::Severities "critical,grave,serious,important";
   // AptListbugs::IgnoreRegexp "FTBFS";


Thanks for reminding, almost forgot about that.


Just saw the following updated when I did an 'apt-get clean; aptitude dist-upgrade' on Debian Wheezy:

libssl1.0.0 openssh-client openssh-server openssl ssh


I just wanted to point out that you really do not need the `apt-get clean.` Obviously your work flow is your business but I wanted to speak up in case you thought it was needed before upgrading packages.


I meant to say 'apt-get update'. Thanks for the heads up. I like to be sure I have the latest package metadata.


Just received an upgrade on Ubuntu 12.04 LTS as well, apt-get clean issued before updating.

EDIT: If you are using DigitalOcean, the update is not yet on their mirrors. Issue 'sudo sed -i "s/mirrors\.digitalocean/archive.ubuntu/g" /etc/apt/sources.list;sudo apt-get clean;sudo apt-get update;sudo apt-get upgrade' to get the patch. Check the comment by 0x0 above ( https://news.ycombinator.com/item?id=7549842 ) to find any services which need restarting.


I can confirm this for vanilla Ubuntu 12.04 LTS. I've been checking for the past hour. The updates for the following just appeared:

Setting up libssl-doc (1.0.1-4ubuntu5.12) ... Setting up libssl-dev (1.0.1-4ubuntu5.12) ... Setting up openssl (1.0.1-4ubuntu5.12) ...


Yup, in Ubuntu 12.04 LTS version 1.0.1-4ubuntu5.12 is what you need.

Here's the changelog: http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/...


We're actively working to update. :)


Same for hetzner.de: the default sources.list points to their [for the moment] outdated update-server.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: