Need to know an ETA for OpenSSL 1.01g - Critical Security Bug

Asked by Adam Rivera on 2014-04-08

Does anyone have an ETA to OpenSSL 1.01g for Trusty (14.04) via apt-get?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openssl Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Best Manfred Hampl (m-hampl) said : #1

If you are talking about CVE-2014-0076 and CVE-2014-0160, they seem to be already covered in the 1.0.1f-1ubuntu2 version for trusty that was published 15 hours ago.

see http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0160
and http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0076
and http://www.ubuntu.com/usn/usn-2165-1/

openssl (1.0.1f-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
      util/libeay.num.
    - CVE-2014-0076
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
      ssl/d1_both.c, ssl/t1_lib.c.
    - CVE-2014-0160

 -- Marc Deslauriers <email address hidden> Mon, 07 Apr 2014 15:37:53 -0400

Adam Rivera (a432511) said : #2

Thank you sir.

Adam Rivera (a432511) said : #3

Thanks Manfred Hampl, that solved my question.