Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Solution for CVE-2014-0160 ?

  1. #1
    Join Date
    Apr 2014
    Beans
    1

    Solution for CVE-2014-0160 ?

    Hi,

    There's a new serious openssl security issue, affecting openssl 1.0.1 and 1.0.2-beta releases (including the one shipped with 13.10).

    Is there an apt repo available with 1.0.1g or 1.0.2-beta1 ? These versions resolve the issue.

    See also:
    http://www.openssl.org/news/secadv_20140407.txt
    https://news.ycombinator.com/item?id=7548468
    http://heartbleed.com/

    regards,
    Mike

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Solution for CVE-2014-0160 ?

    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Nov 2008
    Location
    Kingdom of cookies
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Solution for CVE-2014-0160 ?

    Ubuntu Forums Moderation Staff || SandyDNET
    Twitter: @CatchesAStar | Last.fm
    Ubuntu Membership via Forum Contributions

  4. #4
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Solution for CVE-2014-0160 ?

    I always check the Ubuntu Security Notices page, to see if a security problem has been resolved.

  5. #5
    Join Date
    Dec 2006
    Location
    Tommy Douglas' Mouseland
    Beans
    74

    Re: Solution for CVE-2014-0160 ?

    So I am guessing NO, but curious to ask. Does / did this effect OpenSSH in anyway? Any fault in a common library, etc.

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Solution for CVE-2014-0160 ?

    I don't think openssl was used for openssh. There was a previous update for openssh a few days ago, but it wasn't related to this vulnerability.

    Here's the changelog from one of my Debian boxes, Ubuntu should have similar:

    --- Changes for openssh (openssh-client openssh-server ssh) ---
    openssh (1:6.0p1-4+deb7u1) stable-security; urgency=high

    * CVE-2014-2532: Disallow invalid characters in environment variable names
    to prevent bypassing AcceptEnv wildcard restrictions.
    * CVE-2014-2653: Attempt SSHFP lookup even if server presents a
    certificate (closes: #742513).
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Mar 2011
    Beans
    6

    Re: Solution for CVE-2014-0160 ?

    I'm on Ubuntu 11.10 server. According to what I read, the vulnerability only effects Ubuntu 12+. My openSSl version is 1.0.0e, so it's older than what is effected, however there are other vulnerabilities, so I feel like I should upgrade to the latest. Is it possible?
    I did:
    sudo apt-get update
    sudo apt-get upgrade
    and after I still have OpenSSL 1.0.0e

    *Should* I be trying to upgrade this, or is 1.0.0e safe?
    *Can* I upgrade 11.10 to the current OpenSSL, or would that require upgrading the whole enchilada to Ubuntu 14?

  8. #8
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Solution for CVE-2014-0160 ?

    11.10 is End of Life. It would be a good idea to upgrade to 12.04 at the very least.
    https://wiki.ubuntu.com/Releases
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #9
    Join Date
    Mar 2011
    Beans
    6

    Re: Solution for CVE-2014-0160 ?

    Yes I realize that.

  10. #10
    Join Date
    Mar 2011
    Beans
    6

    Re: Solution for CVE-2014-0160 ?

    So then I take it the answer to both questions is No?

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •