Software Versioning

I have recently started managing yet another server. The server is running Ubuntu 14.04 LTS and therefore support is good for another 5 years. Just to be safe, I double checked the openssl version after updating to make sure that it is not vulnerable to heartbleed.

# openssl version
OpenSSL 1.0.1f 6 Jan 2014s

From the back of my mind, i recalled that versions a-f were vulnerable and initially thought that my server was at risk. It was only after googling that I realised that the binary was actually patched. However, the maintainers decided not to increment the version number and also left the date unchanged. By not having standardised version numbers across distros, it is difficult for sysadmins to keep track of vulnerable machines. It seems puzzling that the patch is done at the distro level and not by openssl itself. Subsequently, by adding "-a" to the command revealed that the binary was indeed patched and built on a later date.

# openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Jun 20 18:54:02 UTC 2014
platform: debian-amd64