Bug 3942

Summary: openssl was updated to 1.0.1g [UPDATE REQUEST]
Product: [ROSA-based products] ROSA Fresh Reporter: Alexander Burmashev <alex.burmashev>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: RESOLVED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: Highest CC: denis.silakov, dmitry.postnikov, kuzma.kazygashev, v.potapov, zombie.ryushu
Version: FreshFlags: v.potapov: qa_verified+
kuzma.kazygashev: secteam_verified+
alex.burmashev: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Platform: --- ROSA Vulnerability identifier:
RPM Package: openssl ISO-related:
Bad POT generating: Upstream:

Description Alexander Burmashev 2014-04-08 12:23:23 MSK 
openssl was updated to 1.0.1g
Comment 1 Alexander Burmashev 2014-04-08 12:24:34 MSK 
Advisory:
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Buildlists:
https://abf.rosalinux.ru/build_lists/1748368
https://abf.rosalinux.ru/build_lists/1748369

References:
https://www.openssl.org/news/secadv_20140407.txt
http://heartbleed.com/
Comment 2 Vladimir Potapov 2014-04-08 14:19:52 MSK 
The update route to extended testing
Comment 3 Postnikov Dmitry 2014-04-09 02:09:24 MSK 
******************************
Extended testing report
****************************
All work OK. Without problems.
Comment 4 Vladimir Potapov 2014-04-09 03:02:42 MSK 
openssl-1.0.1g-1
http://abf-downloads.rosalinux.ru/rosa2012.1/container/1748368/i586/main/release/
http://abf-downloads.rosalinux.ru/rosa2012.1/container/1748369/x86_64/main/release/
******************************** Advisory ******************************
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
*************************************************************************
QA Verified
Comment 5 Zombie Ryushu 2014-04-11 06:24:44 MSK 
What about Rosa 2012lts?
Comment 6 Denis Silakov 2014-04-15 09:30:01 MSK 
(In reply to comment #5)
> What about Rosa 2012lts?

2012lts uses openssl 1.0.0i which is not subjected to this problem.