CVE-2014-0160

Priority
High
Description
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do
not properly handle Heartbeat Extension packets, which allows remote
attackers to obtain sensitive information from process memory via crafted
packets that trigger a buffer over-read, as demonstrated by reading private
keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
References
Assigned-to
mdeslaur
Package
Upstream:not-affected
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Ubuntu 12.10 (Quantal Quetzal):not-affected
Ubuntu 13.10 (Saucy Salamander):not-affected
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Package
Upstream:released (1.0.1g)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (code not present)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.0.1-4ubuntu5.12)
Ubuntu 12.10 (Quantal Quetzal):released (1.0.1c-3ubuntu2.7)
Ubuntu 13.10 (Saucy Salamander):released (1.0.1e-3ubuntu1.2)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.0.1f-1ubuntu2)
Patches:
Upstream:http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 (1.0.1)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-04-09 15:14:42 UTC (commit 7923)