[kwlug-disc] Heartbleed OpenSSL bug

Andrew Mercer andrew at andrewmercer.net
Wed Apr 9 12:56:44 EDT 2014


Yeah they're doing things the Ubuntu way. If you look at the package 
name and the output of openssl version alone, you probably won't be 
satisfied that you've been patched. You have to look at the changelog to 
verify that the vulnerability has been patched in the 
openssl-1.0.1-4ubuntu5.12 package

https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12

* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
     - debian/patches/CVE-2014-0160.patch: use correct lengths in
       ssl/d1_both.c, ssl/t1_lib.c.
     - CVE-2014-0160

On 2014-04-09 02:09, Bob Jonkman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CrankyOldBugger wrote:
>> So I wonder if Ubuntu is putting out their own homebrew 1.0.1e?
>
> I think Ubuntu is assigning a different version number than the
> mainstream OpenSSL team is.  That's fine, the Ubuntu number changes
> are all in the metadata portion (or "pre-release" portion, or "build
> number" portion) of the version string. I'm curious if Ubuntu is
> actually applying the same code as the OpenSSL team, or if they've
> crafted their own solution.  Either way, at the next Debian code
> import[1] (for the following release, 14.10) I expect the version
> numbers and the actual code to converge again.
>
> However, this is a fairly significant bug fix, and should probably
> have been given its own patch number increment, eg. OpenSSl 1.0.2
> according to the Semantic Versioning system[2].
>
> - --Bob.
>
> [1] Based on https://wiki.ubuntu.com/TrustyTahr/ReleaseSchedule about
> 16 weeks into the release cycle
>
> [2] Semantic Versioning:  http://semver.org/spec/v2.0.0.html
>
>
> On 14-04-08 09:16 PM, CrankyOldBugger wrote:
>> Found this tidbit on the Ubuntu site
>> (http://www.ubuntu.com/usn/usn-2165-1/ ):
>>
>> Details
>>
>> Neel Mehta discovered that OpenSSL incorrectly handled memory in
>> the TLS heartbeat extension. An attacker could use this issue to
>> obtain up to 64k of memory contents from the client or server,
>> possibly leading to the disclosure of private keys and other
>> sensitive information.
>> 
>> (CVE-2014-0160<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160>
>>
>>
>>
> )
>>
>> Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly
>> handled timing during swap operations in the Montgomery ladder
>> implementation. An attacker could use this issue to perform
>> side-channel attacks and possibly recover ECDSA nonces.
>> 
>> (CVE-2014-0076<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076>
>>
>>
>>
> )
>> Update instructions
>>
>> The problem can be corrected by updating your system to the
>> following package version: Ubuntu 13.10:libssl1.0.0
>> <https://launchpad.net/ubuntu/+source/openssl>
>> 
>> 1.0.1e-3ubuntu1.2<https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.2>Ubuntu
>>
>>
>>
> 12.10:libssl1.0.0 <https://launchpad.net/ubuntu/+source/openssl>
>> 
>> 1.0.1c-3ubuntu2.7<https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.7>Ubuntu
>>
>>
>>
> 12.04 LTS:libssl1.0.0 <https://launchpad.net/ubuntu/+source/openssl>
>> 
>> 1.0.1-4ubuntu5.12<https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12>
>>
>>
>>
> To update your system, please follow these instructions:
>> https://wiki.ubuntu.com/Security/Upgrades.
>>
>> After a standard system update you need to reboot your computer to
>> make all the necessary changes. Since this issue may have resulted
>> in compromised private keys, it is recommended to regenerate them.
>>  References
>>
>> CVE-2014-0076
>> <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076> ,
>> 
>> CVE-2014-0160<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160>
>>
>>
>>
>>
>> But... if you go to the National Vulnerability Database, it says
>> that 1.0.1e is vulnerable (
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160).
>> So I wonder if Ubuntu is putting out their own homebrew 1.0.1e?
>>
>>
>>
>>
>>
>>
>> On 8 April 2014 19:44, Khalid Baheyeldin <kb at 2bits.com> wrote:
>>
>>>
>>>
>>>
>>> On Tue, Apr 8, 2014 at 7:38 PM, Bob Jonkman <bjonkman at sobac.com>
>>> wrote:
>>>
>>>>
>>>> On 14-04-08 12:09 PM, CrankyOldBugger wrote:
>>>>> I just ran apt-get update && apt-get dist-upgrade on my
>>>>> Ubuntu 13.10 laptop and saw both openSSL client and server in
>>>>> the mix, so, as stated by the OP, fixes are out there...
>>>>
>>>> I too saw OpenSSL patches come in before I even knew there was
>>>> a problem. But I still get this, even after a reboot:
>>>>
>>>>> Ubuntu 12.04.4:
>>>>>> openssl version
>>>>> OpenSSL 1.0.1 14 Mar 2012
>>>>>
>>>>> Ubuntu 13.10, Linux Mint 16 Petra, and Linux Mint Debian
>>>>> Edition
>>>>>> openssl version
>>>>> OpenSSL 1.0.1e 11 Feb 2013
>>>>
>>>
>>> /var/log/aptitude has this:
>>>
>>> Aptitude 0.6.6: log report Mon, Apr  7 2014 20:25:30 -0400
>>>
>>> ... [UPGRADE] libssl-dev:amd64 1.0.1-4ubuntu5.11 ->
>>> 1.0.1-4ubuntu5.12 [UPGRADE] libssl-doc:amd64 1.0.1-4ubuntu5.11
>>> -> 1.0.1-4ubuntu5.12 [UPGRADE] libssl1.0.0:amd64
>>> 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12 ... [UPGRADE]
>>> openssl:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12
>>>
>>> $ dpkg -l | grep openssl Shows the following: ii  openssl
>>> 1.0.1-4ubuntu5.12
>>>
>>> Which means the update is applied. -- Khalid M. Baheyeldin
>>> 2bits.com, Inc. Fast Reliable Drupal Drupal optimization,
>>> development, customization and consulting. Simplicity is
>>> prerequisite for reliability. --  Edsger W.Dijkstra Simplicity
>>> is the ultimate sophistication. --   Leonardo da Vinci For every
>>> complex problem, there is an answer that is clear, simple, and
>>> wrong." -- H.L. Mencken
>>>
>>> _______________________________________________ kwlug-disc
>>> mailing list kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>
>>
>>
>>
>> _______________________________________________ kwlug-disc mailing
>> list kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Ensure confidentiality, authenticity, non-repudiability
>
> iEYEARECAAYFAlNE5BIACgkQuRKJsNLM5eos/QCcCVeTnOUIp3Q6l9QCoS6O8qgO
> cswAnRApqlLIh906qTV+UP/lRI0rlgKF
> =8sIp
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

-- 
Andrew Mercer
Kitchener, ON

www.andrewmercer.net




More information about the kwlug-disc mailing list