CVE-2014-0160

Published: 07 April 2014

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Priority

High

CVSS 3 base score: 7.5

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
Upstream
Released (1.0.1g)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2)
Ubuntu 12.04 ESM (Precise Pangolin)
Released (1.0.1-4ubuntu5.12)
Patches:
Upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 (1.0.1)
openssl098
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Ubuntu 12.04 ESM (Precise Pangolin) Not vulnerable