CVE-2014-0160

NameCVE-2014-0160
DescriptionThe (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2896-1
NVD severitymedium (attack range: remote)
Debian Bugs743883
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)squeeze, squeeze (security)0.9.8o-4squeeze14fixed
squeeze (lts)0.9.8o-4squeeze21fixed
wheezy1.0.1e-2+deb7u13fixed
wheezy (security)1.0.1e-2+deb7u17fixed
jessie1.0.1k-3fixed
jessie (security)1.0.1k-3+deb8u1fixed
stretch, sid1.0.2c-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsource(unstable)1.0.1g-1medium743883
opensslsourcesqueeze(not affected)
opensslsourcewheezy1.0.1e-2+deb7u5mediumDSA-2896-1

Notes

[squeeze] - openssl <not-affected> (vulnerable code introduced in upstream commit 4817504)
fix: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902
http://www.openssl.org/news/secadv_20140407.txt
system reboot is recommended after the upgrade

Search for package or bug name: Reporting problems