[Bug 1304651] Re: Heartbleed Bug
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Apr 15 16:19:24 UTC 2014
Heartbleed was fixed in Ubuntu 14.04 by the 1.0.1f-1ubuntu2 package that
I uploaded on April 7th.
>From the changelog:
openssl (1.0.1f-1ubuntu2) trusty; urgency=medium
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
- debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
- CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
- debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
- CVE-2014-0160
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Mon, 07 Apr 2014
15:37:53 -0400
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0076
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1304651
Title:
Heartbleed Bug
Status in “openssl” package in Ubuntu:
Fix Released
Bug description:
CVE-2014-0160
http://heartbleed.com/
Current version of openssl packaged for Ubuntu is 1.0.1f, need to
upgrade to 1.0.1g, and need backports for legacy systems. This is a
pretty serious bug...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1304651/+subscriptions
More information about the foundations-bugs
mailing list