FS#39775 - [OpenSSL][SECURITY] TLS heartbeat read overrun (CVE-2014-0160)
Attached to Project:
Arch Linux
Opened by netmonk (netmonk) - Monday, 07 April 2014, 20:17 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Tuesday, 08 April 2014, 08:16 GMT
Opened by netmonk (netmonk) - Monday, 07 April 2014, 20:17 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Tuesday, 08 April 2014, 08:16 GMT
|
Details
Description:
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2. Additional info: * 1.0.1.f-2 Steps to reproduce: |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Tuesday, 08 April 2014, 08:16 GMT
Reason for closing: Fixed
Tuesday, 08 April 2014, 08:16 GMT
Reason for closing: Fixed
Comment by netmonk (netmonk) -
Monday, 07 April 2014, 20:25 GMT
Comment by Thomas (thomasbk) -
Monday, 07 April 2014, 21:44 GMT
Comment by
Anatol Pomozov (anatolik) - Monday,
07 April 2014, 22:45 GMT
Comment by netmonk (netmonk) -
Tuesday, 08 April 2014, 06:35 GMT
upgrade to 1.0.1.g is highly recommended and this new release is
already available :
http://www.openssl.org/source/
Severity should be critical, as current version allows for remote
disclosure of private key. See
http://heartbleed.com/
Debian has updated their security repo already
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883
i was unable to modify the severity and priority after creating
this ticket.