Announcement

**Snowhog** · Feb 01, 2010, 11:34 PM

Re: Upgrading to latest openssl

sudo apt-get upgrade only updates/upgrades existing packages without regard to dependencies - packages won't be removed or added.

Try running sudo apt-get dist-upgrade instead. Run sudo apt-get update first.

**JESii** · Feb 01, 2010, 11:43 PM

Re: Upgrading to latest openssl

So I can't just update/replace the defective version of openssl... I have to upgrade to karmic?

Sounds like using a sledge hammer to pound in what should be a small nail

**JESii** · Feb 01, 2010, 11:49 PM

Re: Upgrading to latest openssl

Anyway... that didn't solve the problem; still at the old version 0.9.8g 19 Oct 2007 (guess I don't understand what the dist-upgrade is supposed to do).

**JESii** · Feb 02, 2010, 12:23 AM

Re: Upgrading to latest openssl

So... I tried adding the jaunty-backports ppa, which has the 0.9.8g-15 version (supposedly fixes the security hole),
deb http://archive.ubuntu.com/ubuntu jaunty-backports main universe multiverse restricted
which I got from the ubuntu site.

However, when I attempt to reload, and it starts to refresh the package cache, I get this error message:
"A problem that we were not expecting has occurred.
Please report this bug with the error description.
Details:
"Message did not receive a reply (timeout by message bus)"

Huh?

**dibl** · Feb 02, 2010, 05:36 AM

Re: Upgrading to latest openssl

I think your repo URL is malformed. Try it like this:

deb http://archive.ubuntu.com/ubuntu/dis...nty-backports/ main universe multiverse restricted

**JESii** · Feb 02, 2010, 09:15 AM

Re: Upgrading to latest openssl

sorry, doesn't work. As soon as I add that URL, I get the following from sudo apt-get update:

Code:

Err [url]http://archive.ubuntu.com[/url] main/universe Packages
 404 Not Found [IP: 91.189.88.40 80]
Err [url]http://archive.ubuntu.com[/url] main/multiverse Packages
 404 Not Found [IP: 91.189.88.40 80]
Err [url]http://archive.ubuntu.com[/url] main/restricted Packages
 404 Not Found [IP: 91.189.88.40 80]
W: Failed to fetch [url]http://archive.ubuntu.com/ubuntu/dists/jaunty-backports/dists/main/universe/binary-i386/Packages[/url] 404 Not Found [IP: 91.189.88.40 80]

W: Failed to fetch [url]http://archive.ubuntu.com/ubuntu/dists/jaunty-backports/dists/main/multiverse/binary-i386/Packages[/url] 404 Not Found [IP: 91.189.88.40 80]

W: Failed to fetch [url]http://archive.ubuntu.com/ubuntu/dists/jaunty-backports/dists/main/restricted/binary-i386/Packages[/url] 404 Not Found [IP: 91.189.88.40 80]

E: Some index files failed to download, they have been ignored, or old ones used instead.

**JESii** · Feb 02, 2010, 09:18 AM

Re: Upgrading to latest openssl

BTW; I found the problem with the package cache error that I reported earlier; somehow the sources list got corrupted (two lines got joined into a single line).

I fixed that by editing the sources list at /etc/apt/sources.list

However, I still cannot update openssl...

**JESii** · Feb 02, 2010, 09:44 AM

Re: Upgrading to latest openssl

Hmmm... Looks like Jaunty doesn't have the 'latest' version that is required to resolve the compromised openssl issue: not good.

I went to http://packages.ubuntu.com/it/jaunty/openssl which purports to have the latest Jaunty openssl. I first made sure that I had the latest security ppa and tried to install with that: nothing. So I downloaded that openssl file (openssl_0.9.8g-15ubuntu3.4_i386.deb) and then installed it directly (sudo dpkg -i openssl_0.9.8g-15ubuntu3.4_i386.deb) and everything went just fine as far as the install was concerned.

However, it still has the old, compromised version:

Code:

jseidel@EDP15:~/downloads$ openssl version
OpenSSL 0.9.8g 19 Oct 2007

This seems pretty serious: this version of openssl has been known to be compromised (i.e., the keys are easily guessable because of an error in Debian) since about 2008(!) and sites like github refuse to accept them. The recommendation is that anyone using these old version delete their keys and regen them with the newest version (something like 0.9.8l is good, although there are later, beta versions out). For example, see:
http://digitaloffense.net/tools/debian-openssl/ and http://wiki.debian.org/SSLkeys and http://www.debian.org/security/2008/dsa-1571

Keys generated since 2006-09-17 are weak, according to the debian site...

I can't believe that Ubuntu has failed to notice and fix this -- there must be some obvious solution that I'm missing...?

**dibl** · Feb 02, 2010, 10:15 AM

Re: Upgrading to latest openssl

Originally posted by JESii

I can't believe that Ubuntu has failed to notice and fix this

I'm not at my Kubuntu box and can't check the 9.10 repo, but you're running a version behind. Maybe it was noticed and fixed already.

**JESii** · Feb 02, 2010, 10:27 AM

Re: Upgrading to latest openssl

Yes, I'm one version behind, but only recently.

Still, I would would have expected this to have made it into Jaunty (notice the date this bug was found) or at least into the Jaunty security updates.

**dibl** · Feb 02, 2010, 10:36 AM

Re: Upgrading to latest openssl

Hmmmm -- the same version is what is in Debian Lenny:

http://packages.debian.org/stable/allpackages (scroll down to openssl).

You have to go to Squeeze to get the new version:

http://packages.debian.org/testing/allpackages

If you can manage the dependency issues, you could install from Squeeze.

http://packages.debian.org/testing/openssl

Those libc6 dependencies might cause other issues on your system, however. :P

**JESii** · Feb 02, 2010, 10:52 AM

Re: Upgrading to latest openssl

I'll bet that version has the Debian patch installed -- it was a one-line change that Debian made in error, so it really wasn't an openssl issue, but a Debian issue.

**kubicle** · Feb 02, 2010, 11:05 AM

Re: Upgrading to latest openssl

Do you mean this vulnerability:
http://www.ubuntu.com/usn/usn-612-1?

Sounds rather strange that jaunty would have a non-fixed version when it was fixed rather quickly in 7.04, 7.10 and 8.04 (then in development).

Do note that upgrading versions doesn't fix the keys (that were created with a faulty version), which should be re-generated.

**JESii** · Feb 02, 2010, 03:25 PM

Re: Upgrading to latest openssl

Yep; that one.

Now here's the strange part. I decided to try regenerating my keys one more time. However, this time I used a different name for the key. Now, when I uploaded it to github, it worked?! I'm guessing one of two things (or both) solved the problem:
1) Reinstalling openssl from the Debian package, or
2) Using a different name for the key.

Go figure... anyway, it works so I'm a happy camper (but I don't understand why which is a bother).

Thanks for everyone's help on this one...jon

Announcement

Upgrading to latest openssl

Upgrading to latest openssl

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment