ROS 6, OpenSSL, and package updates?

On further checking, my NV+ (v1) has 0.9.8g installed, so it appears that it doesn't not have the heartbleed bug.

I'm afraid I've lost the plot here, my RN102 says it's running 1.0.1e, am I secure or not?

alanwsg wrote:
I'm afraid I've lost the plot here, my RN102 says it's running 1.0.1e, am I secure or not?

The bug fixes started rolling out yesterday (7 April 2014), so if you haven't updated OpenSSL manually you are not secure.

I am also confused on how 1.0.1e-2+deb7u5 and 1.0.1e-2+deb7u6 relate to 1.0.1g.

The simplest way to figure out if you have the bug is to check your version:

dpkg -l | grep openssl

And the build date:

openssl version -b

Any 1.0.1 version with a date older than April 7, 2014 is vulnerable to compromise.

StephenB wrote:
1.0.1e-2+deb7u6

Backported security fix for wheezy.

mangrove wrote:
StephenB wrote: 1.0.1e-2+deb7u6 Backported security fix for wheezy.

Yes, though the guidance from heartbleed.com is to use 1.0.1g. I'm unclear as to what other changes might be missing from 1.0.1e-2+deb7u6.

StephenB wrote:
The bug fixes started rolling out yesterday (7 April 2014), so if you haven't updated OpenSSL manually you are not secure.

That is correct.

StephenB wrote:
I am also confused on how 1.0.1e-2+deb7u5 and 1.0.1e-2+deb7u6 relate to 1.0.1g.

OpenSSL is its own project; it released 1.0.1e a year ago. Shortly thereafter, the Debian project maintainers incorporated it into their Linux distro.

The OpenSSL project released 1.0.1g yesterday, and the Debian project will undoubtedly incorporate that version into the next release of Debian Linux. But it would be imprudent for them to update the earlier, already-released versions of Debian (like "Wheezy", the version used by the ReadyNAS OS6 devices) to 1.0.1g without significant testing, because over the last year many other changes were made between 1.0.1e and 1.0.1g. That testing would take a lot of time, but the bug is serious and should be fixed immediately.

Fortunately, the fix is very straightforward -- just a couple lines of code -- so the Debian Security team decided that it was safe to make just that one bugfix change to Wheezy's 1.0.1e (without adding any of the other changes made to Open SSL over the last year). They released the slightly-modified 1.0.1e as 1.0.1e-2+deb7u5 yesterday, then made some minor tweaks to it today and released that as 1.0.1e-2+deb7u6. Both those versions contain the crucial bugfix; the latter one also handles service-restarts better.

You can see the list of other major changes between 1.0.1e and 1.0.1g by looking at the OpenSSL release notes here: http://www.openssl.org/news/openssl-1.0.1-notes.html. I posted the Debian changelog for 1.0.1e-2+deb7u5 and 1.0.1e-2+deb7u6 in an earlier message.

StephenB wrote:
Backported security fix for wheezy.

Yes, though the guidance from heartbleed.com is to use 1.0.1g. I'm unclear as to what other changes might be missing from 1.0.1e-2+deb7u6.[/quote]

Debian are after all famously conservative :D
Security fixes are always backported though.
The version of OpenSSL I use on OS4 was too old to be affected... :roll:

http://www.debian.org/security/2014/dsa-2896

For wheezy (which 6.1.6 falls into) it's fixed in 1.0.1e-2+deb7u5. I'm not sure which major release NV+ and 5.x systems run. Patching it may (for some older systems) come down to Netgear? Not sure.

Don't necessarily go by package version, though. Build is safer. But in general, check the CVE report from each distro to be absolutely sure.

I've applied the deb7u5 openssl to my 6.1.7 installation, as described earlier, and it seems to have worked OK. Strangely, "openssl version" still reports "11 Feb 2013" but the build is dated 07-APR-2014 20:32:27 UTC.