Bug 3942 - openssl was updated to 1.0.1g [UPDATE REQUEST]
: openssl was updated to 1.0.1g [UPDATE REQUEST]
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Highest critical
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-08 12:23 MSD by Alexander Burmashev
Modified: 2014-04-15 09:30 MSD (History)
5 users (show)

See Also:
RPM Package: openssl
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified+
kuzma.kazygashev: secteam_verified+
alex.burmashev: published+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Burmashev 2014-04-08 12:23:23 MSD
openssl was updated to 1.0.1g
Comment 1 Alexander Burmashev 2014-04-08 12:24:34 MSD
Advisory:
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Buildlists:
https://abf.rosalinux.ru/build_lists/1748368
https://abf.rosalinux.ru/build_lists/1748369

References:
https://www.openssl.org/news/secadv_20140407.txt
http://heartbleed.com/
Comment 2 Vladimir Potapov 2014-04-08 14:19:52 MSD
The update route to extended testing
Comment 3 Postnikov Dmitry 2014-04-09 02:09:24 MSD
******************************
Extended testing report
****************************
All work OK. Without problems.
Comment 4 Vladimir Potapov 2014-04-09 03:02:42 MSD
openssl-1.0.1g-1
http://abf-downloads.rosalinux.ru/rosa2012.1/container/1748368/i586/main/release/
http://abf-downloads.rosalinux.ru/rosa2012.1/container/1748369/x86_64/main/release/
******************************** Advisory ******************************
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
*************************************************************************
QA Verified
Comment 5 Zombie Ryushu 2014-04-11 06:24:44 MSD
What about Rosa 2012lts?
Comment 6 Denis Silakov 2014-04-15 09:30:01 MSD
(In reply to comment #5)
> What about Rosa 2012lts?

2012lts uses openssl 1.0.0i which is not subjected to this problem.