Debian Bug report logs -
#743883
CVE-2014-0160 heartbeat read overrun (heartbleed)
Reported by: Travis Cross <tc@travislists.com>
Date: Mon, 7 Apr 2014 21:21:02 UTC
Severity: grave
Found in versions openssl/1.0.1e-2, openssl/1.0.1f-1, openssl/1.0.2~beta1-1
Fixed in versions openssl/1.0.1g-1, 1.0.1e-2+deb7u5
Done: Kurt Roeckx <kurt@roeckx.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Mon, 07 Apr 2014 21:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Travis Cross <tc@travislists.com>
:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 07 Apr 2014 21:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Version: 1.0.1f-1
Severity: grave
A serious flaw has been discovered in OpenSSL versions 1.0.1 through
1.0.1f. This bug can allow an attacker to read process memory on
vulnerable systems leading to exposure of the private key. Please
see:
http://www.openssl.org/news/secadv_20140407.txt
http://heartbleed.com/
Debian will need to patch OpenSSL in sid, jessie, and wheezy, and all
keys used with vulnerable processes will need to be replaced both in
Debian infrastructure and by all users of this package.
Marked as found in versions openssl/1.0.1e-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 07 Apr 2014 21:45:09 GMT) (full text, mbox, link).
Marked as fixed in versions 1.0.1e-2+deb7u5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 07 Apr 2014 21:45:14 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Mon, 07 Apr 2014 21:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 07 Apr 2014 21:48:04 GMT) (full text, mbox, link).
Message #14 received at 743883@bugs.debian.org (full text, mbox, reply):
found 743883 1.0.1e-2
fixed 743883 + 1.0.1-g
fixed 743883 + 1.0.1e-2+deb7u5
close 743883
thanks
On Mon, Apr 07, 2014 at 09:11:09PM +0000, Travis Cross wrote:
> Package: openssl
> Version: 1.0.1f-1
> Severity: grave
>
> A serious flaw has been discovered in OpenSSL versions 1.0.1 through
> 1.0.1f. This bug can allow an attacker to read process memory on
> vulnerable systems leading to exposure of the private key. Please
> see:
>
> http://www.openssl.org/news/secadv_20140407.txt
> http://heartbleed.com/
>
> Debian will need to patch OpenSSL in sid, jessie, and wheezy, and all
> keys used with vulnerable processes will need to be replaced both in
> Debian infrastructure and by all users of this package.
>
> _______________________________________________
> Pkg-openssl-devel mailing list
> Pkg-openssl-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-openssl-devel
>
Marked Bug as done
Request was from Kurt Roeckx <kurt@roeckx.be>
to control@bugs.debian.org
.
(Mon, 07 Apr 2014 21:48:07 GMT) (full text, mbox, link).
Notification sent
to Travis Cross <tc@travislists.com>
:
Bug acknowledged by developer.
(Mon, 07 Apr 2014 21:48:08 GMT) (full text, mbox, link).
Marked as fixed in versions openssl/1.0.1g-1.
Request was from kurt@roeckx.be (Kurt Roeckx)
to control@bugs.debian.org
.
(Mon, 07 Apr 2014 23:36:27 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Tue, 08 Apr 2014 13:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gregor Riepl <onitake@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Tue, 08 Apr 2014 13:42:04 GMT) (full text, mbox, link).
Message #25 received at 743883@bugs.debian.org (full text, mbox, reply):
> found 743883 1.0.1e-2
> fixed 743883 + 1.0.1-g
> fixed 743883 + 1.0.1e-2+deb7u5
jessie is still vulnerable at 1.0.1f-1.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Tue, 08 Apr 2014 16:36:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Tue, 08 Apr 2014 16:36:09 GMT) (full text, mbox, link).
Message #30 received at 743883@bugs.debian.org (full text, mbox, reply):
On Tue, Apr 08, 2014 at 03:37:45PM +0200, Gregor Riepl wrote:
> > found 743883 1.0.1e-2
> > fixed 743883 + 1.0.1-g
> > fixed 743883 + 1.0.1e-2+deb7u5
>
> jessie is still vulnerable at 1.0.1f-1.
jessie has 1.0.1g-1 already, which should fix it.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Tue, 08 Apr 2014 18:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to gmitpro <gmitpro@gmitpro.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Tue, 08 Apr 2014 18:21:04 GMT) (full text, mbox, link).
Message #35 received at 743883@bugs.debian.org (full text, mbox, reply):
When will jessie be updated?
The website still has 1.0.1f-1 and the Debian Changelog shows "Not
found" page.
https://packages.debian.org/jessie/openssl
http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.1f-1_changelog
apt-get also gives 1.0.1f-1
Please fix.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Tue, 08 Apr 2014 18:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Tue, 08 Apr 2014 18:45:05 GMT) (full text, mbox, link).
Message #40 received at 743883@bugs.debian.org (full text, mbox, reply):
On Tue, Apr 08, 2014 at 02:18:53PM -0400, gmitpro wrote:
> When will jessie be updated?
> The website still has 1.0.1f-1 and the Debian Changelog shows "Not found"
> page.
> https://packages.debian.org/jessie/openssl
> http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.1f-1_changelog
>
> apt-get also gives 1.0.1f-1
> Please fix.
You need to wait until your mirror has it.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Tue, 08 Apr 2014 18:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Tue, 08 Apr 2014 18:57:08 GMT) (full text, mbox, link).
Message #45 received at 743883@bugs.debian.org (full text, mbox, reply):
On Tue, Apr 08, 2014 at 08:43:11PM +0200, Kurt Roeckx wrote:
> On Tue, Apr 08, 2014 at 02:18:53PM -0400, gmitpro wrote:
> > When will jessie be updated?
> > The website still has 1.0.1f-1 and the Debian Changelog shows "Not found"
> > page.
> > https://packages.debian.org/jessie/openssl
> > http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.1f-1_changelog
> >
> > apt-get also gives 1.0.1f-1
> > Please fix.
>
> You need to wait until your mirror has it.
Or get it from unstable, your mirror should have it there.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Wed, 09 Apr 2014 05:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas DEBESSE <dev@illwieckz.net>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Wed, 09 Apr 2014 05:33:04 GMT) (full text, mbox, link).
Message #50 received at 743883@bugs.debian.org (full text, mbox, reply):
Warning, openssl=1.0.1e-2+deb7u6 depends on libssl1.0.0>= 1.0.1, so,
updating openssl without updating the whole world does not update
libssl.
It would be an excellent idea if openssl=1.0.1e-2+deb7u6 depends on
libssl1.0.0=1.0.1e-2+deb7u6 if someone wants install this security fix
without installing a non-security update from another package inside
another repository (what happens with apt-get upgrade).
--
Thomas DEBESSE
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Wed, 09 Apr 2014 06:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Valette <eric.valette@free.fr>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Wed, 09 Apr 2014 06:27:05 GMT) (full text, mbox, link).
Message #55 received at 743883@bugs.debian.org (full text, mbox, reply):
Package: openssl
Version: 1.0.2~beta1-1
Followup-For: Bug #743883
Please also fix the 1.0.2~beta1-1 version
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12.17 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.18-4
ii libssl1.0.0 1.0.2~beta1-1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20140325
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Wed, 09 Apr 2014 13:51:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Gregor Riepl <onitake@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Wed, 09 Apr 2014 13:51:17 GMT) (full text, mbox, link).
Message #60 received at 743883@bugs.debian.org (full text, mbox, reply):
On 08/04/14 18:32, Kurt Roeckx wrote:
>> jessie is still vulnerable at 1.0.1f-1.
>
> jessie has 1.0.1g-1 already, which should fix it.
Thank you, it just took a little longer for the package to hit my mirror.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Fri, 11 Apr 2014 06:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Jerzy Sobczyk <J.Sobczyk@elka.pw.edu.pl>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Fri, 11 Apr 2014 06:57:08 GMT) (full text, mbox, link).
Message #65 received at 743883@bugs.debian.org (full text, mbox, reply):
Hello!
After reading the advisory DSA-2896-1 openssl -- security update
I have upgraded openssl on my servers to 1.0.1e-2+deb7u6
and tested them again with:
http://filippo.io/Heartbleed/#example.server.domain
http://rehmann.co/projects/heartbeat/?domain=example.server.domain&port=443&submit=Submit
And still I get "IS VULNERABLE" results!
Does it mean that tests are wrong or the package is not fixed?
After a while I have discovered that upgrading openssl package is not enough!
It is necessary to upgrade also packages (may be too many):
libcrypto1.0.0-udeb
libssl-dev
libssl-doc
libssl1.0.0
libssl1.0.0-dbg
IT SHOULD BE WRITTEN IN THE ADVISORY!!!!
Alternatively (better) openssl package should require
newer versions of necessary libraries.
With Best Regards,
Jerzy Sobczyk
--
------------------ Institute of Control and Computation Engineering ______
Jerzy Sobczyk Warsaw University of Technology /_/ |
J.Sobczyk@ia.pw.edu.pl Nowowiejska 15/19 / / /| |
http://www.ia.pw.edu.pl/~jurek 00-665 Warsaw, POLAND / / _>| |
tel. +48 22 234 7863 _____________ fax. +48 22 8253719 ________ /_/_/ |_|
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Fri, 11 Apr 2014 07:18:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Fri, 11 Apr 2014 07:18:09 GMT) (full text, mbox, link).
Message #70 received at 743883@bugs.debian.org (full text, mbox, reply):
On Fri, Apr 11, 2014 at 08:40:17AM +0200, Jerzy Sobczyk wrote:
> Hello!
>
> After reading the advisory DSA-2896-1 openssl -- security update
> I have upgraded openssl on my servers to 1.0.1e-2+deb7u6
> and tested them again with:
> http://filippo.io/Heartbleed/#example.server.domain
> http://rehmann.co/projects/heartbeat/?domain=example.server.domain&port=443&submit=Submit
> And still I get "IS VULNERABLE" results!
> Does it mean that tests are wrong or the package is not fixed?
>
> After a while I have discovered that upgrading openssl package is not enough!
> It is necessary to upgrade also packages (may be too many):
> libcrypto1.0.0-udeb
> libssl-dev
> libssl-doc
> libssl1.0.0
> libssl1.0.0-dbg
> IT SHOULD BE WRITTEN IN THE ADVISORY!!!!
> Alternatively (better) openssl package should require
> newer versions of necessary libraries.
You need to udpate libssl1.0.0, it has always been written in the
advisory.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#743883
; Package openssl
.
(Fri, 11 Apr 2014 08:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Fri, 11 Apr 2014 08:03:04 GMT) (full text, mbox, link).
Message #75 received at 743883@bugs.debian.org (full text, mbox, reply):
On 11 April 2014 08:40, Jerzy Sobczyk <J.Sobczyk@elka.pw.edu.pl> wrote:
[...]
> After a while I have discovered that upgrading openssl package is not enough!
> It is necessary to upgrade also packages (may be too many):
"All users are urged to upgrade their openssl packages (*especially
libssl1.0.0*) and restart applications as soon as possible."
[emphasis is mine]
We did mention it.
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 10 May 2014 07:31:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:51:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.