FS#39775 - [OpenSSL][SECURITY] TLS heartbeat read overrun (CVE-2014-0160)

Attached to Project: Arch Linux
Opened by netmonk (netmonk) - Monday, 07 April 2014, 20:17 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Tuesday, 08 April 2014, 08:16 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Critical
Priority Flash
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 7
Private No


A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Additional info:
* 1.0.1.f-2

Steps to reproduce:
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Tuesday, 08 April 2014, 08:16 GMT
Reason for closing:  Fixed
Comment by netmonk (netmonk) - Monday, 07 April 2014, 20:25 GMT
upgrade to 1.0.1.g is highly recommended and this new release is already available : http://www.openssl.org/source/
Comment by Thomas (thomasbk) - Monday, 07 April 2014, 21:44 GMT
Severity should be critical, as current version allows for remote disclosure of private key. See http://heartbleed.com/
Comment by Anatol Pomozov (anatolik) - Monday, 07 April 2014, 22:45 GMT
Debian has updated their security repo already https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883
Comment by netmonk (netmonk) - Tuesday, 08 April 2014, 06:35 GMT
i was unable to modify the severity and priority after creating this ticket.