CVE-2014-0160

Bug #1304042 reported by Alex Gaynor on 2014-04-07
294
This bug affects 9 people
Affects Status Importance Assigned to Milestone
openssl (Debian)
Fix Released
Unknown
openssl (Ubuntu)
Undecided
Unassigned

Bug Description

The version of OpenSSL which is shipped with Ubuntu is vulnerable to CVE-2014-0160. This is resolved with OpenSSL 1.0.1g (https://www.openssl.org/news/secadv_20140407.txt). This is *extremely* high severity, see heartbleed.com for full information.

CVE References

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed

Linked as upstream instead of Distribution, fixed.

no longer affects: openssl
Seth Arnold (seth-arnold) wrote :
Changed in openssl (Ubuntu):
status: Confirmed → Fix Released

Hi,

why is the urgency in the changelog just "medium" when the bug has a severity of "grave"?
Shouldn't that be enough for high?

And thanks for the quick reaction/fix, good job!

Best regards,
Darkman

Seth Arnold (seth-arnold) wrote :

The changelog severities don't mean anything in Ubuntu.

Ubuntu's CVEs aren't tracked by severity, those are our internal priority for fixing them.

All security bugs in Debian have a severity of "grave".

Changed in openssl (Debian):
status: Unknown → Fix Released
Simon Wong (wongy) wrote :

Thank-you for the rapid response.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.