[kwlug-disc] Heartbleed OpenSSL bug

Bob Jonkman bjonkman at sobac.com
Wed Apr 9 02:09:29 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CrankyOldBugger wrote:
> So I wonder if Ubuntu is putting out their own homebrew 1.0.1e?

I think Ubuntu is assigning a different version number than the
mainstream OpenSSL team is.  That's fine, the Ubuntu number changes
are all in the metadata portion (or "pre-release" portion, or "build
number" portion) of the version string. I'm curious if Ubuntu is
actually applying the same code as the OpenSSL team, or if they've
crafted their own solution.  Either way, at the next Debian code
import[1] (for the following release, 14.10) I expect the version
numbers and the actual code to converge again.

However, this is a fairly significant bug fix, and should probably
have been given its own patch number increment, eg. OpenSSl 1.0.2
according to the Semantic Versioning system[2].

- --Bob.

[1] Based on https://wiki.ubuntu.com/TrustyTahr/ReleaseSchedule about
16 weeks into the release cycle

[2] Semantic Versioning:  http://semver.org/spec/v2.0.0.html


On 14-04-08 09:16 PM, CrankyOldBugger wrote:
> Found this tidbit on the Ubuntu site 
> (http://www.ubuntu.com/usn/usn-2165-1/ ):
> 
> Details
> 
> Neel Mehta discovered that OpenSSL incorrectly handled memory in
> the TLS heartbeat extension. An attacker could use this issue to
> obtain up to 64k of memory contents from the client or server,
> possibly leading to the disclosure of private keys and other
> sensitive information. 
> (CVE-2014-0160<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160>
>
>
> 
)
> 
> Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly 
> handled timing during swap operations in the Montgomery ladder 
> implementation. An attacker could use this issue to perform 
> side-channel attacks and possibly recover ECDSA nonces. 
> (CVE-2014-0076<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076>
>
>
> 
)
> Update instructions
> 
> The problem can be corrected by updating your system to the 
> following package version: Ubuntu 13.10:libssl1.0.0 
> <https://launchpad.net/ubuntu/+source/openssl> 
> 1.0.1e-3ubuntu1.2<https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.2>Ubuntu
>
>
> 
12.10:libssl1.0.0 <https://launchpad.net/ubuntu/+source/openssl>
> 1.0.1c-3ubuntu2.7<https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.7>Ubuntu
>
>
> 
12.04 LTS:libssl1.0.0 <https://launchpad.net/ubuntu/+source/openssl>
> 1.0.1-4ubuntu5.12<https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12>
>
>
> 
To update your system, please follow these instructions:
> https://wiki.ubuntu.com/Security/Upgrades.
> 
> After a standard system update you need to reboot your computer to 
> make all the necessary changes. Since this issue may have resulted
> in compromised private keys, it is recommended to regenerate them.
>  References
> 
> CVE-2014-0076 
> <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076> , 
> CVE-2014-0160<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160>
>
>
> 
> 
> But... if you go to the National Vulnerability Database, it says 
> that 1.0.1e is vulnerable ( 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160).
> So I wonder if Ubuntu is putting out their own homebrew 1.0.1e?
> 
> 
> 
> 
> 
> 
> On 8 April 2014 19:44, Khalid Baheyeldin <kb at 2bits.com> wrote:
> 
>> 
>> 
>> 
>> On Tue, Apr 8, 2014 at 7:38 PM, Bob Jonkman <bjonkman at sobac.com> 
>> wrote:
>> 
>>> 
>>> On 14-04-08 12:09 PM, CrankyOldBugger wrote:
>>>> I just ran apt-get update && apt-get dist-upgrade on my
>>>> Ubuntu 13.10 laptop and saw both openSSL client and server in
>>>> the mix, so, as stated by the OP, fixes are out there...
>>> 
>>> I too saw OpenSSL patches come in before I even knew there was
>>> a problem. But I still get this, even after a reboot:
>>> 
>>>> Ubuntu 12.04.4:
>>>>> openssl version
>>>> OpenSSL 1.0.1 14 Mar 2012
>>>> 
>>>> Ubuntu 13.10, Linux Mint 16 Petra, and Linux Mint Debian 
>>>> Edition
>>>>> openssl version
>>>> OpenSSL 1.0.1e 11 Feb 2013
>>> 
>> 
>> /var/log/aptitude has this:
>> 
>> Aptitude 0.6.6: log report Mon, Apr  7 2014 20:25:30 -0400
>> 
>> ... [UPGRADE] libssl-dev:amd64 1.0.1-4ubuntu5.11 -> 
>> 1.0.1-4ubuntu5.12 [UPGRADE] libssl-doc:amd64 1.0.1-4ubuntu5.11
>> -> 1.0.1-4ubuntu5.12 [UPGRADE] libssl1.0.0:amd64
>> 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12 ... [UPGRADE]
>> openssl:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12
>> 
>> $ dpkg -l | grep openssl Shows the following: ii  openssl 
>> 1.0.1-4ubuntu5.12
>> 
>> Which means the update is applied. -- Khalid M. Baheyeldin 
>> 2bits.com, Inc. Fast Reliable Drupal Drupal optimization, 
>> development, customization and consulting. Simplicity is 
>> prerequisite for reliability. --  Edsger W.Dijkstra Simplicity
>> is the ultimate sophistication. --   Leonardo da Vinci For every 
>> complex problem, there is an answer that is clear, simple, and 
>> wrong." -- H.L. Mencken
>> 
>> _______________________________________________ kwlug-disc
>> mailing list kwlug-disc at kwlug.org 
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> 
>> 
> 
> 
> 
> _______________________________________________ kwlug-disc mailing 
> list kwlug-disc at kwlug.org 
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlNE5BIACgkQuRKJsNLM5eos/QCcCVeTnOUIp3Q6l9QCoS6O8qgO
cswAnRApqlLIh906qTV+UP/lRI0rlgKF
=8sIp
-----END PGP SIGNATURE-----

More information about the kwlug-disc mailing list