Raspbian openssl (1.01e) is vulnerable to CVE-2014-0160

Raspbian wheezy has openssl version 1.0.1e-2+rvt+deb7u16 . Which is based on 1.0.1e-2+deb7u16 from Debian.

According to the Debian security tracker the CVE you mention was fixed ages ago in 1.0.1e-2+deb7u5

https://security-tracker.debian.org/tracker/CVE-2014-0160

Then the version string reported by "openssl version" is misleading if not outright wrong. I would have at least expected the date in that version string to reflect the fix, if for some hard to imagine reason the version number must be truncated.

How should one check that the version installed is indeed 1.0.1e-2+rvt+deb7u16?

Disregard last. Running "aptitude query openssl" on a freshly downloaded install from raspberrypi.org shows 1.0.1e-2+rvt+deb7u14 (still past 7u5, but not quite 7u16 as you report).

I find it rather disingenuous to not update the version string of the binary itself. I suppose that would be a Debian complaint?

>Disregard last. Running "aptitude query openssl" on a freshly downloaded install from
>raspberrypi.org shows 1.0.1e-2+rvt+deb7u14 (still past 7u5, but not quite 7u16 as you report).
We don't control when the raspberry pi foundation rebuild their images.

>I find it rather disingenuous to not update the version string of the binary itself. I suppose that would be a Debian complaint?
I would agree it's less than ideal that "openssl version" reflects only the upstream version and not the package version. That is something that would need to be discussed with the Debian package maintainers and/or openssl upstream with consideration taken of the possibility that some software may be attempting to parse that string. It is certainly not something I would want to unilaterally change in raspbian.

Fair enough. Thanks!