New Openssl 1.0.1j to work-around POODLE issue

[ronb]

Any word on whether a Raspberry Pi Raspbian version of openssl 1.0.1j will be available soon?
I believe this version contains a work-around for the POODLE issue.

[fruitoftheloom]

Any word on whether a Raspberry Pi Raspbian version of openssl 1.0.1j will be available soon?
I believe this version contains a work-around for the POODLE issue.

Yes an openSSL update has been rolled out for Raspbian Wheezy

Code: Select all

sudo apt-get update
sudo apt-get dist-upgrade

openssl 1.0.1e-2+rvt+deb7u13
libssl 1.0.1e-2+rvt+deb7u13

[ronb]

Thanks for the info. I did the update/upgrade, but openssl reports the same version as before the upgrade.

Code: Select all

openssl version
OpenSSL 1.0.1e 11 Feb 2013

But then a dpkg-query gives:

Code: Select all

libssl1.0.0:armhf       1.0.1e-2+rvt+deb7u13
openssl 1.0.1e-2+rvt+deb7u13

So I guess I have the right version even though the openssl version command give the same as before...

[rpdom]

You do have the right version.

If you check the start of /usr/share/doc/openssl/changelog.Debian.gz you will see

Code: Select all

openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium

  * Fixes CVE-2014-3513
  * Fixes CVE-2014-3567
  * Add Fallback SCSV support to mitigate CVE-2014-3566
  * Fixes CVE-2014-3568

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 15 Oct 2014 19:45:25 +0200

CVE-2014-3566 is the ID of the POODLE vulnerability and adding Fallback SCSV support is one way of stopping it being an issue.

[ronb]

Thanks!

Ron