I just installed openssl 1.0.1e-8.mga4 and its related libraries. Is this version of SSL susceptible to the heartbleed bug?
Thanks!
Lloyd
$ rpm -q --changelog openssl-1.0.1e | head -4
* Mon Apr 07 2014 luigiwalser <luigiwalser> 1.0.1e-8.2.mga4
+ Revision: 612765
- add upstream patch to fix CVE-2014-0160
- add patch from upstream via opensuse to fix CVE-2014-0076
OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
Users browsing this forum: No registered users and 1 guest