FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2014-0160

This CVE name corresponds to:

Entered Topic
2014-04-07 OpenSSL -- Remote Information Disclosure

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2014-0160
Phase Assigned(20131203)

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

References

Source Reference
EXPLOIT-DB 32745
EXPLOIT-DB 32764
FULLDISC 20140408 Re: heartbleed OpenSSL bug CVE-2014-0160
FULLDISC 20140408 heartbleed OpenSSL bug CVE-2014-0160
FULLDISC 20140409 Re: heartbleed OpenSSL bug CVE-2014-0160
FULLDISC 20140412 Re: heartbleed OpenSSL bug CVE-2014-0160
FULLDISC 20140411 MRI Rubies may contain statically linked, vulnerable OpenSSL
MLIST [syslog-ng-announce] 20140411 syslog-ng Premium Edition 5 LTS (5.0.4a) has been released
MISC http://heartbleed.com/
MISC http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
MISC https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
MISC https://gist.github.com/chapmajs/10473815
MISC https://www.cert.fi/en/reports/2014/vulnerability788210.html
CONFIRM http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
CONFIRM http://www.openssl.org/news/secadv_20140407.txt
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1084875
CONFIRM http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21670161
CONFIRM http://www.blackberry.com/btsc/KB35882
CONFIRM http://www.splunk.com/view/SP-CAAAMB3
CONFIRM https://code.google.com/p/mod-spdy/issues/detail?id=85
CONFIRM http://www.f-secure.com/en/web/labs_global/fsc-2014-1
CONFIRM http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
CONFIRM http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/
CONFIRM http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
CONFIRM http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
CONFIRM http://cogentdatahub.com/ReleaseNotes.html
CONFIRM http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1
CONFIRM http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3
CONFIRM http://www.kerio.com/support/kerio-control/release-history
CONFIRM http://advisories.mageia.org/MGASA-2014-0165.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
CONFIRM http://www-01.ibm.com/support/docview.wss?uid=isg400001841
CONFIRM http://www-01.ibm.com/support/docview.wss?uid=isg400001843
CONFIRM https://filezilla-project.org/versions.php?type=server
CISCO 20140409 OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products
DEBIAN DSA-2896
FEDORA FEDORA-2014-4879
FEDORA FEDORA-2014-4910
HP HPSBMU02995
HP HPSBMU03009
HP HPSBMU03022
HP HPSBMU03024
HP HPSBST03000
REDHAT RHSA-2014:0376
REDHAT RHSA-2014:0377
REDHAT RHSA-2014:0378
REDHAT RHSA-2014:0396
SUSE SUSE-SA:2014:002
SUSE openSUSE-SU-2014:0492
CERT TA14-098A
CERT-VN VU#720951
BID 66690
SECTRACK 1030026
SECTRACK 1030074
SECTRACK 1030077
SECTRACK 1030078
SECTRACK 1030079
SECTRACK 1030080
SECTRACK 1030081
SECTRACK 1030082
SECUNIA 57347
SECUNIA 57483
SECUNIA 57721
SECUNIA 57836
SECUNIA 57966
SECUNIA 57968