[kwlug-disc] Heartbleed OpenSSL bug

Tue Apr 8 21:16:51 EDT 2014

Found this tidbit on the Ubuntu site (http://www.ubuntu.com/usn/usn-2165-1/
):

Details

Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS
heartbeat extension. An attacker could use this issue to obtain up to 64k
of memory contents from the client or server, possibly leading to the
disclosure of private keys and other sensitive information.
(CVE-2014-0160<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160>
)

Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly handled
timing during swap operations in the Montgomery ladder implementation. An
attacker could use this issue to perform side-channel attacks and possibly
recover ECDSA nonces.
(CVE-2014-0076<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076>
)
Update instructions

The problem can be corrected by updating your system to the following
package version:
Ubuntu 13.10:libssl1.0.0 <https://launchpad.net/ubuntu/+source/openssl>
1.0.1e-3ubuntu1.2<https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.2>Ubuntu
12.10:libssl1.0.0 <https://launchpad.net/ubuntu/+source/openssl>
1.0.1c-3ubuntu2.7<https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.7>Ubuntu
12.04 LTS:libssl1.0.0 <https://launchpad.net/ubuntu/+source/openssl>
1.0.1-4ubuntu5.12<https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12>

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all
the necessary changes. Since this issue may have resulted in compromised
private keys, it is recommended to regenerate them.
References

CVE-2014-0076 <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076>
, CVE-2014-0160<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160>

But... if you go to the National Vulnerability Database, it says that
1.0.1e is vulnerable (
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160).  So I
wonder if Ubuntu is putting out their own homebrew 1.0.1e?

On 8 April 2014 19:44, Khalid Baheyeldin <kb at 2bits.com> wrote:

>
>
>
> On Tue, Apr 8, 2014 at 7:38 PM, Bob Jonkman <bjonkman at sobac.com> wrote:
>
>>
>> On 14-04-08 12:09 PM, CrankyOldBugger wrote:
>> > I just ran apt-get update && apt-get dist-upgrade on my Ubuntu
>> > 13.10 laptop and saw both openSSL client and server in the mix, so,
>> > as stated by the OP, fixes are out there...
>>
>> I too saw OpenSSL patches come in before I even knew there was a
>> problem. But I still get this, even after a reboot:
>>
>> > Ubuntu 12.04.4:
>> >> openssl version
>> > OpenSSL 1.0.1 14 Mar 2012
>> >
>> > Ubuntu 13.10, Linux Mint 16 Petra, and Linux Mint Debian Edition
>> >> openssl version
>> > OpenSSL 1.0.1e 11 Feb 2013
>>
>
> /var/log/aptitude has this:
>
> Aptitude 0.6.6: log report
> Mon, Apr  7 2014 20:25:30 -0400
>
> ...
> [UPGRADE] libssl-dev:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12
> [UPGRADE] libssl-doc:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12
> [UPGRADE] libssl1.0.0:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12
> ...
> [UPGRADE] openssl:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12
>
> $ dpkg -l | grep openssl
> Shows the following:
> ii  openssl                               1.0.1-4ubuntu5.12
>
> Which means the update is applied.
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple, and
> wrong." -- H.L. Mencken
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140408/e0d90fbf/attachment.htm>