On Fri, Apr 11, 2014 at 08:40:17AM +0200, Jerzy Sobczyk wrote: > Hello! > > After reading the advisory DSA-2896-1 openssl -- security update > I have upgraded openssl on my servers to 1.0.1e-2+deb7u6 > and tested them again with: > http://filippo.io/Heartbleed/#example.server.domain > > http://rehmann.co/projects/heartbeat/?domain=example.server.domain&port=443&submit=Submit > And still I get "IS VULNERABLE" results! > Does it mean that tests are wrong or the package is not fixed? > > After a while I have discovered that upgrading openssl package is not enough! > It is necessary to upgrade also packages (may be too many): > libcrypto1.0.0-udeb > libssl-dev > libssl-doc > libssl1.0.0 > libssl1.0.0-dbg > IT SHOULD BE WRITTEN IN THE ADVISORY!!!! > Alternatively (better) openssl package should require > newer versions of necessary libraries.
You need to udpate libssl1.0.0, it has always been written in the advisory. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
