14.04 LTS brings OpenSSL 1.0.1.f .... heartbleed !

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Apr 17 14:20:58 UTC 2014


On 14-04-17 10:17 AM, BONNET, Frank wrote:
>
> Just installed 14.04 LTS and check the openssl version !!!
>
> OpenSSL> version
> OpenSSL 1.0.1f 6 Jan 2014
> OpenSSL> 
>

The openssl package version 1.0.1f-1ubuntu2 contains a backported fix for
heartbleed. 14.04 LTS is not vulnerable.

>From the changelog:

openssl (1.0.1f-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
      util/libeay.num.
    - CVE-2014-0076
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
      ssl/d1_both.c, ssl/t1_lib.c.
    - CVE-2014-0160

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com <https://launchpad.net/%7Emdeslaur>>   Mon, 07 Apr 2014 15:37:53 -0400


Marc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20140417/f8736af5/attachment.html>


More information about the ubuntu-users mailing list