Ubuntu Is Not "Unprotected Against the Heartbleed Exploit"

HardOCP News · Apr 17, 2014

It seems as though there might be a little bad information going around about Ubuntu and the Heartbleed exploit and it is pissing off the Ubuntu community.

The Heartbleed vulnerability that was discovered just last week took the world by surprise, but most of the affected services and operating systems have been patched. Unfortunately, some of the Ubuntu users haven't understood how the patching process works and have started to flood the forums and other social media with the message that Ubuntu is vulnerable.

Skripka · Apr 17, 2014

Of course people are flooding the Ubuntu forums. It is the single worst technical support system in the history of tech support. Idiots who post questions without reading or searching, whose questions never get answered due to sheer traffic volume.

And of course the previous 6,372 posts in the last 48 hours are never seen because of the aforemention problems.

Ubuntu needs to change how it does things. This is less about Heartbleed than it is about how awful support for consumers is for Ubuntu.

the-one1 · Apr 17, 2014

If it's like any other *nix forum, it goes something like this:
User1: Can someone help me patch against the heartbleed bug?
User2: read the manual
User1: Where's the manual?
User2: in the faq
User1: Ok, found it, but the instructions don't make much sense to me, anyone have a walk through
User2: For **** sakes, you want me to hold your hand while you pee too!? Read the manual, it's all in there, everything you need to know.
User1: I did what the manual says but I get error XYZ. What does that mean?
User2: Use the search
User1: I did, and it took me to the manual
User3: Read the manual
User4: I did the same thing User1 did, and get the same error
User2: Please start your own thread as not to confuse this one
User4: But its the same error message

OldDeadOne · Apr 17, 2014

Which means User 2 is an idiot.

Velox · Apr 17, 2014

It seems that the major issue here is that Ubuntu doesn't follow the same versioning scheme that everyone else does, and is confused why users don't understand their version numbers.

OpenSSL 1.0.1f is the vulnerable version.
OpenSSL 1.0.1g is the fixed version that everyone uses to fix the issue
OpenSSL 1.0.1f is the fixed vesion in Ubuntu.

Ubuntu justed patched the 1.0.1f implementation (1.0.1f-1ubuntu2). This is not visible in the typical 'openssl version' output. Ubuntu created their own problem by making it overly difficult to tell the difference between a patched and unpatched system.

CreepyUncleGoogle · Apr 17, 2014

Steve said:
...pissing off the Ubuntu community.

Is there anything that doesn't piss off the Ubuntu community?

Spazturtle · Apr 17, 2014

I updated my Ubuntu server and checked the OpenSSL version, the compile date was before the Heartbleed bug was announced, so how can that be the patched version?

Think I will stick to compiling 1.0.1g from source like I did on all my other servers.

Thuleman · Apr 17, 2014

Skripka said:
Ubuntu needs to change how it does things. This is less about Heartbleed than it is about how awful support for consumers is for Ubuntu.

Replace Ubuntu with Linux and you are good.
If you want support you need to pay up for RedHat or other actually supported distros. Ubuntu doesn't need to change things at all, dumb users need to realize that when they use free software (which they all love oh-so-much) then they are each others support system. Since the average of any reasonably sized group is stupid, you have the stupid trying to support the stupid with the following mixed in:

OldDeadOne said:
Which means User 2 is an idiot.

Except that User 2 give the standard reply to when someone asks for help. The whole "read the man page" is how Linux support works.

Welcome to the wonderful world of open source.

cdr_74_premium · Apr 17, 2014

Just get CentOS and be happy.

pxc · Apr 17, 2014

I don't know where to post this, but Netcraft made a browser extension to test if a site you visit is vulnerable to HeartBleed: http://toolbar.netcraft.com/install (not a toolbar, just a regular iconized extension)

kent · Apr 17, 2014

Spazturtle said:
I updated my Ubuntu server and checked the OpenSSL version, the compile date was before the Heartbleed bug was announced, so how can that be the patched version?

Think I will stick to compiling 1.0.1g from source like I did on all my other servers.

Read the manual and the FAQ dude, everything you need to know is THERE

Skripka · Apr 17, 2014

Thuleman said:
Replace Ubuntu with Linux and you are good.
If you want support you need to pay up for RedHat or other actually supported distros. Ubuntu doesn't need to change things at all, dumb users need to realize that when they use free software (which they all love oh-so-much) then they are each others support system. Since the average of any reasonably sized group is stupid, you have the stupid trying to support the stupid with the following mixed in:

Except most Linux distros are not foolish enough to think an overactive and overloaded forum where few questions get answered is the the best and only needed support tool. Hell. Look at the Arch Wiki document. Everything you need to know and troubleshoot on it is documented and commented on in very readable format in a plethora of languages. Consequently the forum is not flooded with stupid....because there's a well-maintained tremendously valuable hrlp-users-help-themselves tool in place.

Ubuntu is not typical of most Linuxes. It is the dysfunctional step-child.

Red Falcon · Apr 17, 2014

Ubuntu is to Linux, as OS X is to UNIX.
In other words, they are the red-headed step-children of both.

Ubuntu Is Not "Unprotected Against the Heartbleed Exploit"

HardOCP News

[H] News

Skripka

[H]F Junkie

the-one1

2[H]4U

OldDeadOne

[H]ard|Gawd

Velox

Gawd

CreepyUncleGoogle

Supreme [H]ardness

Spazturtle

[H]ard|Gawd

Thuleman

Supreme [H]ardness

cdr_74_premium

[H]ard|Gawd

pxc

Extremely [H]

kent

2[H]4U

Skripka

[H]F Junkie

Red Falcon

[H]ard DCOTM December 2023