14.04 LTS brings OpenSSL 1.0.1.f .... heartbleed !
Marc Deslauriers
marcdeslauriers at videotron.ca
Thu Apr 17 14:20:58 UTC 2014
On 14-04-17 10:17 AM, BONNET, Frank wrote:
>
> Just installed 14.04 LTS and check the openssl version !!!
>
> OpenSSL> version
> OpenSSL 1.0.1f 6 Jan 2014
> OpenSSL>
>
The openssl package version 1.0.1f-1ubuntu2 contains a backported fix for
heartbleed. 14.04 LTS is not vulnerable.
>From the changelog:
openssl (1.0.1f-1ubuntu2) trusty; urgency=medium
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
- debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
- CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
- debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
- CVE-2014-0160
-- Marc Deslauriers <marc.deslauriers at ubuntu.com <https://launchpad.net/%7Emdeslaur>> Mon, 07 Apr 2014 15:37:53 -0400
Marc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20140417/f8736af5/attachment.html>
More information about the ubuntu-users
mailing list