Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2014-0160 heartbeat read overrun (heartbleed)

Related Vulnerabilities: CVE-2014-0160  

Source

Debian Bug report logs - #743883
CVE-2014-0160 heartbeat read overrun (heartbleed)

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is src:openssl (PTS, buildd, popcon).

Reported by: Travis Cross <tc@travislists.com>

Date: Mon, 7 Apr 2014 21:21:02 UTC

Severity: grave

Found in versions openssl/1.0.1e-2, openssl/1.0.1f-1, openssl/1.0.2~beta1-1

Fixed in versions openssl/1.0.1g-1, 1.0.1e-2+deb7u5

Done: Kurt Roeckx <kurt@roeckx.be>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Mon, 07 Apr 2014 21:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Travis Cross <tc@travislists.com>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 07 Apr 2014 21:21:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Travis Cross <tc@travislists.com>
To: submit@bugs.debian.org
Subject: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Mon, 07 Apr 2014 21:11:09 +0000
Package: openssl
Version: 1.0.1f-1
Severity: grave

A serious flaw has been discovered in OpenSSL versions 1.0.1 through
1.0.1f.  This bug can allow an attacker to read process memory on
vulnerable systems leading to exposure of the private key.  Please
see:

  http://www.openssl.org/news/secadv_20140407.txt
  http://heartbleed.com/

Debian will need to patch OpenSSL in sid, jessie, and wheezy, and all
keys used with vulnerable processes will need to be replaced both in
Debian infrastructure and by all users of this package.

Marked as found in versions openssl/1.0.1e-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 07 Apr 2014 21:45:09 GMT) (full text, mbox, link).

Marked as fixed in versions 1.0.1e-2+deb7u5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 07 Apr 2014 21:45:14 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Mon, 07 Apr 2014 21:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 07 Apr 2014 21:48:04 GMT) (full text, mbox, link).

Message #14 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: Travis Cross <tc@travislists.com>, 743883@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#743883: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Mon, 7 Apr 2014 23:45:26 +0200
found 743883 1.0.1e-2
fixed 743883 + 1.0.1-g
fixed 743883 + 1.0.1e-2+deb7u5
close 743883
thanks

On Mon, Apr 07, 2014 at 09:11:09PM +0000, Travis Cross wrote:
> Package: openssl
> Version: 1.0.1f-1
> Severity: grave
> 
> A serious flaw has been discovered in OpenSSL versions 1.0.1 through
> 1.0.1f.  This bug can allow an attacker to read process memory on
> vulnerable systems leading to exposure of the private key.  Please
> see:
> 
>   http://www.openssl.org/news/secadv_20140407.txt
>   http://heartbleed.com/
> 
> Debian will need to patch OpenSSL in sid, jessie, and wheezy, and all
> keys used with vulnerable processes will need to be replaced both in
> Debian infrastructure and by all users of this package.
> 
> _______________________________________________
> Pkg-openssl-devel mailing list
> Pkg-openssl-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-openssl-devel
>

Marked Bug as done Request was from Kurt Roeckx <kurt@roeckx.be> to control@bugs.debian.org. (Mon, 07 Apr 2014 21:48:07 GMT) (full text, mbox, link).

Notification sent to Travis Cross <tc@travislists.com>:
Bug acknowledged by developer. (Mon, 07 Apr 2014 21:48:08 GMT) (full text, mbox, link).

Marked as fixed in versions openssl/1.0.1g-1. Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Mon, 07 Apr 2014 23:36:27 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Tue, 08 Apr 2014 13:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Gregor Riepl <onitake@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 08 Apr 2014 13:42:04 GMT) (full text, mbox, link).

Message #25 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Gregor Riepl <onitake@gmail.com>
To: 743883@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#743883: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Tue, 08 Apr 2014 15:37:45 +0200
> found 743883 1.0.1e-2
> fixed 743883 + 1.0.1-g
> fixed 743883 + 1.0.1e-2+deb7u5

jessie is still vulnerable at 1.0.1f-1.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Tue, 08 Apr 2014 16:36:09 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 08 Apr 2014 16:36:09 GMT) (full text, mbox, link).

Message #30 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: Gregor Riepl <onitake@gmail.com>, 743883@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#743883: Bug#743883: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Tue, 8 Apr 2014 18:32:53 +0200
On Tue, Apr 08, 2014 at 03:37:45PM +0200, Gregor Riepl wrote:
> > found 743883 1.0.1e-2
> > fixed 743883 + 1.0.1-g
> > fixed 743883 + 1.0.1e-2+deb7u5
> 
> jessie is still vulnerable at 1.0.1f-1.

jessie has 1.0.1g-1 already, which should fix it.


Kurt

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Tue, 08 Apr 2014 18:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to gmitpro <gmitpro@gmitpro.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 08 Apr 2014 18:21:04 GMT) (full text, mbox, link).

Message #35 received at 743883@bugs.debian.org (full text, mbox, reply):

From: gmitpro <gmitpro@gmitpro.com>
To: 743883@bugs.debian.org
Subject: Bug#743883: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Tue, 08 Apr 2014 14:18:53 -0400
When will jessie be updated?
The website still has 1.0.1f-1 and the Debian Changelog shows "Not 
found" page.
https://packages.debian.org/jessie/openssl
http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.1f-1_changelog

apt-get also gives 1.0.1f-1
Please fix.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Tue, 08 Apr 2014 18:45:05 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 08 Apr 2014 18:45:05 GMT) (full text, mbox, link).

Message #40 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: gmitpro <gmitpro@gmitpro.com>, 743883@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-openssl-devel] Bug#743883: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Tue, 8 Apr 2014 20:43:11 +0200
On Tue, Apr 08, 2014 at 02:18:53PM -0400, gmitpro wrote:
> When will jessie be updated?
> The website still has 1.0.1f-1 and the Debian Changelog shows "Not found"
> page.
> https://packages.debian.org/jessie/openssl
> http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.1f-1_changelog
> 
> apt-get also gives 1.0.1f-1
> Please fix.

You need to wait until your mirror has it.


Kurt

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Tue, 08 Apr 2014 18:57:08 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 08 Apr 2014 18:57:08 GMT) (full text, mbox, link).

Message #45 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: gmitpro <gmitpro@gmitpro.com>, 743883@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-openssl-devel] Bug#743883: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Tue, 8 Apr 2014 20:52:32 +0200
On Tue, Apr 08, 2014 at 08:43:11PM +0200, Kurt Roeckx wrote:
> On Tue, Apr 08, 2014 at 02:18:53PM -0400, gmitpro wrote:
> > When will jessie be updated?
> > The website still has 1.0.1f-1 and the Debian Changelog shows "Not found"
> > page.
> > https://packages.debian.org/jessie/openssl
> > http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.1f-1_changelog
> > 
> > apt-get also gives 1.0.1f-1
> > Please fix.
> 
> You need to wait until your mirror has it.

Or get it from unstable, your mirror should have it there.


Kurt

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Wed, 09 Apr 2014 05:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas DEBESSE <dev@illwieckz.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 09 Apr 2014 05:33:04 GMT) (full text, mbox, link).

Message #50 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Thomas DEBESSE <dev@illwieckz.net>
To: 743883@bugs.debian.org
Subject: Re: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Wed, 9 Apr 2014 07:30:30 +0200
Warning, openssl=1.0.1e-2+deb7u6 depends on libssl1.0.0>= 1.0.1, so,
updating openssl without updating the whole world does not update
libssl.

It would be an excellent idea if openssl=1.0.1e-2+deb7u6 depends on
libssl1.0.0=1.0.1e-2+deb7u6 if someone wants install this security fix
without installing a non-security update from another package inside
another repository (what happens with apt-get upgrade).

-- 
Thomas DEBESSE

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Wed, 09 Apr 2014 06:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Eric Valette <eric.valette@free.fr>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 09 Apr 2014 06:27:05 GMT) (full text, mbox, link).

Message #55 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Eric Valette <eric.valette@free.fr>
To: Debian Bug Tracking System <743883@bugs.debian.org>
Subject: openssl: Experimental version is still vulnerable
Date: Wed, 09 Apr 2014 08:23:24 +0200
Package: openssl
Version: 1.0.2~beta1-1
Followup-For: Bug #743883

Please also fix the  1.0.2~beta1-1 version

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12.17 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.18-4
ii  libssl1.0.0  1.0.2~beta1-1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20140325

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Wed, 09 Apr 2014 13:51:17 GMT) (full text, mbox, link).

Acknowledgement sent to Gregor Riepl <onitake@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 09 Apr 2014 13:51:17 GMT) (full text, mbox, link).

Message #60 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Gregor Riepl <onitake@gmail.com>
To: 743883@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#743883: Bug#743883: CVE-2014-0160 heartbeat read overrun (heartbleed)
Date: Wed, 09 Apr 2014 15:44:46 +0200
On 08/04/14 18:32, Kurt Roeckx wrote:
>> jessie is still vulnerable at 1.0.1f-1.
> 
> jessie has 1.0.1g-1 already, which should fix it.

Thank you, it just took a little longer for the package to hit my mirror.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Fri, 11 Apr 2014 06:57:08 GMT) (full text, mbox, link).

Acknowledgement sent to Jerzy Sobczyk <J.Sobczyk@elka.pw.edu.pl>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 11 Apr 2014 06:57:08 GMT) (full text, mbox, link).

Message #65 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Jerzy Sobczyk <J.Sobczyk@elka.pw.edu.pl>
To: 743883@bugs.debian.org
Subject: Is it realy fixed?
Date: Fri, 11 Apr 2014 08:40:17 +0200
Hello!

After reading the advisory DSA-2896-1 openssl -- security update
I have upgraded openssl on my servers to 1.0.1e-2+deb7u6
and tested them again with:
	http://filippo.io/Heartbleed/#example.server.domain
	http://rehmann.co/projects/heartbeat/?domain=example.server.domain&port=443&submit=Submit
And still I get "IS VULNERABLE" results!
Does it mean that tests are wrong or the package is not fixed?

After a while I have discovered that upgrading openssl package is not enough!
It is necessary to upgrade also packages (may be too many):
	 libcrypto1.0.0-udeb
	 libssl-dev
	 libssl-doc
	 libssl1.0.0
	 libssl1.0.0-dbg
IT SHOULD BE WRITTEN IN THE ADVISORY!!!!
Alternatively (better) openssl package should require
newer versions of necessary libraries.

With Best Regards,
	Jerzy Sobczyk
-- 
------------------ Institute of Control and Computation Engineering  ______
Jerzy Sobczyk               Warsaw University of Technology         /_/   |
J.Sobczyk@ia.pw.edu.pl              Nowowiejska 15/19              / / /| |
http://www.ia.pw.edu.pl/~jurek    00-665 Warsaw, POLAND           / / _>| |
tel. +48 22 234 7863 _____________ fax. +48 22 8253719 ________  /_/_/  |_|

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Fri, 11 Apr 2014 07:18:09 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 11 Apr 2014 07:18:09 GMT) (full text, mbox, link).

Message #70 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: Jerzy Sobczyk <J.Sobczyk@elka.pw.edu.pl>, 743883@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#743883: Is it realy fixed?
Date: Fri, 11 Apr 2014 09:14:57 +0200
On Fri, Apr 11, 2014 at 08:40:17AM +0200, Jerzy Sobczyk wrote:
> Hello!
> 
> After reading the advisory DSA-2896-1 openssl -- security update
> I have upgraded openssl on my servers to 1.0.1e-2+deb7u6
> and tested them again with:
> 	http://filippo.io/Heartbleed/#example.server.domain
> 	http://rehmann.co/projects/heartbeat/?domain=example.server.domain&port=443&submit=Submit
> And still I get "IS VULNERABLE" results!
> Does it mean that tests are wrong or the package is not fixed?
> 
> After a while I have discovered that upgrading openssl package is not enough!
> It is necessary to upgrade also packages (may be too many):
> 	 libcrypto1.0.0-udeb
> 	 libssl-dev
> 	 libssl-doc
> 	 libssl1.0.0
> 	 libssl1.0.0-dbg
> IT SHOULD BE WRITTEN IN THE ADVISORY!!!!
> Alternatively (better) openssl package should require
> newer versions of necessary libraries.

You need to udpate libssl1.0.0, it has always been written in the
advisory.


Kurt

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#743883; Package openssl. (Fri, 11 Apr 2014 08:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 11 Apr 2014 08:03:04 GMT) (full text, mbox, link).

Message #75 received at 743883@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>
To: Jerzy Sobczyk <J.Sobczyk@elka.pw.edu.pl>, 743883@bugs.debian.org
Subject: Re: Bug#743883: Is it realy fixed?
Date: Fri, 11 Apr 2014 09:58:05 +0200
On 11 April 2014 08:40, Jerzy Sobczyk <J.Sobczyk@elka.pw.edu.pl> wrote:
[...]
> After a while I have discovered that upgrading openssl package is not enough!
> It is necessary to upgrade also packages (may be too many):

"All users are urged to upgrade their openssl packages (*especially
libssl1.0.0*) and restart applications as soon as possible."
[emphasis is mine]

We did mention it.

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 10 May 2014 07:31:56 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:51:48 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started