<div dir="ltr">Found this tidbit on the Ubuntu site (<a href="http://www.ubuntu.com/usn/usn-2165-1/">http://www.ubuntu.com/usn/usn-2165-1/</a>):<div><br></div><div><h3 style="margin:0px 0px 8px;padding:8px 0px 0px;border:0px;font-weight:normal;font-size:16px;line-height:20px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
Details</h3><p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS<br>heartbeat extension. An attacker could use this issue to obtain up to 64k<br>of memory contents from the client or server, possibly leading to the<br>
disclosure of private keys and other sensitive information. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">CVE-2014-0160</a>)</p>
<p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly handled<br>timing during swap operations in the Montgomery ladder implementation. An<br>attacker could use this issue to perform side-channel attacks and possibly<br>
recover ECDSA nonces. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">CVE-2014-0076</a>)<br>
</p><h3 style="margin:0px 0px 8px;padding:8px 0px 0px;border:0px;font-weight:normal;font-size:16px;line-height:20px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
Update instructions</h3><p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
The problem can be corrected by updating your system to the following package version:</p><dl style="margin:0px 0px 16px;padding:0px;border:0px;font-size:12px;line-height:12px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
<dt style="margin:0px;padding:12px 0px 8px;border:0px;font-weight:bold;font-style:inherit;line-height:16px;font-family:inherit;vertical-align:baseline">Ubuntu 13.10:</dt><dd style="margin:0px;padding:0px 0px 0px 16px;border:0px;font-weight:inherit;font-style:inherit;line-height:16px;font-family:inherit;vertical-align:baseline">
<a href="https://launchpad.net/ubuntu/+source/openssl" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">libssl1.0.0</a> <span style="margin:0px;padding:0px 0px 0px 10px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline"><a href="https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.2" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">1.0.1e-3ubuntu1.2</a></span></dd>
<dt style="margin:0px;padding:12px 0px 8px;border:0px;font-weight:bold;font-style:inherit;line-height:16px;font-family:inherit;vertical-align:baseline">Ubuntu 12.10:</dt><dd style="margin:0px;padding:0px 0px 0px 16px;border:0px;font-weight:inherit;font-style:inherit;line-height:16px;font-family:inherit;vertical-align:baseline">
<a href="https://launchpad.net/ubuntu/+source/openssl" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">libssl1.0.0</a> <span style="margin:0px;padding:0px 0px 0px 10px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline"><a href="https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.7" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">1.0.1c-3ubuntu2.7</a></span></dd>
<dt style="margin:0px;padding:12px 0px 8px;border:0px;font-weight:bold;font-style:inherit;line-height:16px;font-family:inherit;vertical-align:baseline">Ubuntu 12.04 LTS:</dt><dd style="margin:0px;padding:0px 0px 0px 16px;border:0px;font-weight:inherit;font-style:inherit;line-height:16px;font-family:inherit;vertical-align:baseline">
<a href="https://launchpad.net/ubuntu/+source/openssl" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">libssl1.0.0</a> <span style="margin:0px;padding:0px 0px 0px 10px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline"><a href="https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">1.0.1-4ubuntu5.12</a></span></dd>
</dl><p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
To update your system, please follow these instructions:<a href="https://wiki.ubuntu.com/Security/Upgrades" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">https://wiki.ubuntu.com/Security/Upgrades</a>.</p>
<p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
After a standard system update you need to reboot your computer to make all<br>the necessary changes. Since this issue may have resulted in compromised<br>private keys, it is recommended to regenerate them.<br></p><h3 style="margin:0px 0px 8px;padding:8px 0px 0px;border:0px;font-weight:normal;font-size:16px;line-height:20px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
References</h3><p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">CVE-2014-0076</a>, <a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-style:inherit;line-height:1;font-family:inherit;vertical-align:baseline;color:rgb(221,72,20);text-decoration:none">CVE-2014-0160</a></p>
<p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
<br></p><p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
But... if you go to the National Vulnerability Database, it says that 1.0.1e is vulnerable (<a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160</a>). So I wonder if Ubuntu is putting out their own homebrew 1.0.1e?</p>
<p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
<br></p><p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
<br></p><p style="margin:0px 0px 8px;padding:0px;border:0px;font-size:12px;line-height:16px;font-family:'Ubuntu Beta',UbuntuBeta,Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;vertical-align:baseline;color:rgb(51,51,51)">
<br></p></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 8 April 2014 19:44, Khalid Baheyeldin <span dir="ltr"><<a href="mailto:kb@2bits.com" target="_blank">kb@2bits.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 7:38 PM, Bob Jonkman <span dir="ltr"><<a href="mailto:bjonkman@sobac.com" target="_blank">bjonkman@sobac.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><div>
On 14-04-08 12:09 PM, CrankyOldBugger wrote:<br>
> I just ran apt-get update && apt-get dist-upgrade on my Ubuntu<br>
> 13.10 laptop and saw both openSSL client and server in the mix, so,<br>
> as stated by the OP, fixes are out there...<br>
<br>
</div>I too saw OpenSSL patches come in before I even knew there was a<br>
problem. But I still get this, even after a reboot:<br>
<br>
> Ubuntu 12.04.4:<br>
>> openssl version<br>
> OpenSSL 1.0.1 14 Mar 2012<br>
><br>
> Ubuntu 13.10, Linux Mint 16 Petra, and Linux Mint Debian Edition<br>
>> openssl version<br>
> OpenSSL 1.0.1e 11 Feb 2013<br></blockquote><div><br></div><div>/var/log/aptitude has this:<br><br>Aptitude 0.6.6: log report<br>Mon, Apr 7 2014 20:25:30 -0400<br><br>...<br>[UPGRADE] libssl-dev:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12<br>
[UPGRADE] libssl-doc:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12<br>[UPGRADE] libssl1.0.0:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12<br>...<br>[UPGRADE] openssl:amd64 1.0.1-4ubuntu5.11 -> 1.0.1-4ubuntu5.12<br>
<br></div><div>$ dpkg -l | grep openssl<br>Shows the following:<br>ii openssl 1.0.1-4ubuntu5.12 <br><br></div><div>Which means the update is applied.<span class="HOEnZb"><font color="#888888"><br>
</font></span></div></div><span class="HOEnZb"><font color="#888888">-- <br>Khalid M. Baheyeldin<br>
<a href="http://2bits.com" target="_blank">2bits.com</a>, Inc.<br>Fast Reliable Drupal<br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>
Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken<br>
</font></span></div></div>
<br>_______________________________________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
<br></blockquote></div><br></div>