CVE-2014-0160

NameCVE-2014-0160
DescriptionThe (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2896-1
NVD severitymedium (attack range: remote)
Debian Bugs743883

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)wheezy1.0.1e-2+deb7u20fixed
wheezy (security)1.0.1e-2+deb7u21fixed
jessie1.0.1k-3+deb8u4fixed
jessie (security)1.0.1k-3+deb8u5fixed
stretch, sid1.0.2h-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsource(unstable)1.0.1g-1medium743883
opensslsourcesqueeze(not affected)
opensslsourcewheezy1.0.1e-2+deb7u5mediumDSA-2896-1

Notes

[squeeze] - openssl <not-affected> (vulnerable code introduced in upstream commit 4817504)
fix: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902
http://www.openssl.org/news/secadv/20140407.txt
system reboot is recommended after the upgrade

Search for package or bug name: Reporting problems