Ubuntu
zabbix package

How to solve OpenSSL vulnerability in ubuntu10.04LTS

Asked by ramesh raman

Hi Team,

I am using ubuntu 10.04LTS Server edition in my production server with automatic update packages.
Server Information
root@351973-app4:~# uname -a; lsb_release -a; dpkg -l | grep linux-image
Linux 351973-app4 2.6.32-55-generic-pae #117-Ubuntu SMP Tue Dec 3 17:50:05 UTC 2013 i686 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Codename: lucid

How to solve the OpenSSL vulnerability issue and update packages
Now available package in the Production box

jaiken@live:~$ dpkg -l | grep '^ii' | grep openssl | awk '{print $2 "\t" $3}'
openssl 0.9.8k-7ubuntu8.15
jaiken@live:~$ dpkg -l | grep '^ii' | grep libssl | awk '{print $2 "\t" $3}'
libssl-dev 0.9.8k-7ubuntu8.15
libssl0.9.8 0.9.8k-7ubuntu8.15

Please take this as a high priority and give me solutions

Regards,
Ramesh R

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu zabbix Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Lucid is no longer supported on the desktop in any way. It is EOL.

I suggest you wipe Lucid off and perform a clean install of Trusty which is due out in a week or so and is also LTS.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#2

see http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160
and http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076
and http://www.ubuntu.com/usn/usn-2165-1/

openssl 0.9.8k-7ubuntu8.15 as installed on Ubuntu 10.04 is not affected.

Revision history for this message
Warren Hill (warren-hill) said : 		#4

If you look here:
http://www.ubuntu.com/usn/usn-2165-1/

You will see that the problem only exists with 12.04 and later so 10.04 does not have the problem.

For these releases the fix is here: http://askubuntu.com/q/444702/107450.

I don't know if 14.04 has been fixed yet but but would be very surprised if it isn't fixed in time for the official release next week.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#5

@Warren Hill:
The trusty version seems to be solved in the 1.0.1f-1ubuntu2 version published two days ago:

openssl (1.0.1f-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
      util/libeay.num.
    - CVE-2014-0076
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
      ssl/d1_both.c, ssl/t1_lib.c.
    - CVE-2014-0160
 -- Marc Deslauriers <email address hidden> Mon, 07 Apr 2014 15:37:53 -0400

Revision history for this message
Daniel Letzeisen (dtl131) said : 		#6

@actionparsnip: Before recommending a user reinstall a production server for an issue like this, you should consult the list of server packages that qualify for 5 years of support (I can't google it at the moment, but I do know it exists).

openssl is a package that is included in LTS server support...

Can you help with this problem?

Provide an answer of your own, or ask ramesh raman for more information if necessary.

To post a message you must log in.