openssl vulnerable to remote memory reads (aka heartbleeed bug) - grave error
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Raspbian |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
The openssl heartbleed bug exposes server memory to remote attackers. Specifically, people have been able to pull down SSL private keys, plaintext passwords, and compromising pictures of you and that goat when you were partying in Mexico.
The exploit is in the wild.
Debian bug 743833 for CVE-2014-0160 was just built and pushed by the Debian security team yesterday, they classified it as a grave security bug, and that's accurate. It's one of the worst I've seen in years because it doesn't just create a crash, it exposes private keys and plaintext passwords.
This is a request for an IMMEDIATE pull and incorporation of the debian security fix into raspbian. Our current version, openssl 1.0.1e-2+deb7u4 is vulnerable, as this was fixed in debian 1.0.1e-2+deb7u5.
https:/
http://
http://
CVE References
| information type: | Private Security → Public Security |
| peter green (plugwash) wrote | #1 |
| Changed in raspbian: | |
| status: | New → Fix Released |
| Paul Traina (a-maio-g) wrote | #2 |
This should be fixed in 1.0.1e-2+rvt+deb7u5 which i'm pushing out at the momement.
Sorry for the delay, we had some infrustructure issues which combined with this patch needing manual attention due to previous changes we made to openssl have slowed things down a bit.