CVE-2014-0160

NameCVE-2014-0160
DescriptionThe (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2896-1
NVD severitymedium
Debian Bugs743883

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)stretch1.1.0l-1~deb9u1fixed
stretch (security)1.1.0l-1~deb9u3fixed
buster1.1.1d-0+deb10u6fixed
buster (security)1.1.1d-0+deb10u7fixed
bullseye1.1.1k-1fixed
bullseye (security)1.1.1k-1+deb11u1fixed
bookworm, sid1.1.1l-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsourcesqueeze(not affected)
opensslsourcewheezy1.0.1e-2+deb7u5DSA-2896-1
opensslsource(unstable)1.0.1g-1743883

Notes

[squeeze] - openssl <not-affected> (vulnerable code introduced in upstream commit 4817504)
fix: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902
http://www.openssl.org/news/secadv/20140407.txt
system reboot is recommended after the upgrade

Search for package or bug name: Reporting problems