TLS heartbeat read overrun (CVE-2014-0160)
Posted: 11 Apr 2014, 04:36
Details:
https://www.openssl.org/news/secadv_20140407.txt
OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
Also:
https://www.openssl.org/source/openssl-1.0.1g.tar.gz
4509047 Apr 7 19:21:29 2014 openssl-1.0.1g.tar.gz
From Porteus forum:
http://forum.porteus.org/viewtopic.php? ... .1g#p23626
Board index ‹ General ‹ General chat ‹ Security hole in OpenSSL
https://www.openssl.org/news/secadv_20140407.txt
OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
Also:
https://www.openssl.org/source/openssl-1.0.1g.tar.gz
4509047 Apr 7 19:21:29 2014 openssl-1.0.1g.tar.gz
From Porteus forum:
http://forum.porteus.org/viewtopic.php? ... .1g#p23626
Board index ‹ General ‹ General chat ‹ Security hole in OpenSSL