dwhitney67
August 8th, 2014, 01:48 AM
I received info regarding OpenSSL from the updater:
Version 1.0.1f-1ubuntu2.5:
This update was issued on 08/07/14 4:03 AM
* SECURITY UPDATE: double free when processing DTLS packets
- debian/patches/CVE-2014-3505.patch: fix double free in ssl/d1_both.c.
- CVE-2014-3505
* SECURITY UPDATE: DTLS memory exhaustion
- debian/patches/CVE-2014-3506.patch: fix DTLS handshake message size
checks in ssl/d1_both.c.
- CVE-2014-3506
* SECURITY UPDATE: DTLS memory leak from zero-length fragments
- debian/patches/CVE-2014-3507.patch: fix memory leak and return codes
in ssl/d1_both.c.
I am synced in with Ubuntu 14.04 LTS. Why is OpenSSL 1.0.1f still being pushed to the repositories?
Probably the wrong place to voice an opinion, but please (Canonical) post an updated version that addresses the "ancient" Heart-Bleed issue reported months ago. The OpenSSL release that should be made available is (at least) 1.0.1g.
Version 1.0.1f-1ubuntu2.5:
This update was issued on 08/07/14 4:03 AM
* SECURITY UPDATE: double free when processing DTLS packets
- debian/patches/CVE-2014-3505.patch: fix double free in ssl/d1_both.c.
- CVE-2014-3505
* SECURITY UPDATE: DTLS memory exhaustion
- debian/patches/CVE-2014-3506.patch: fix DTLS handshake message size
checks in ssl/d1_both.c.
- CVE-2014-3506
* SECURITY UPDATE: DTLS memory leak from zero-length fragments
- debian/patches/CVE-2014-3507.patch: fix memory leak and return codes
in ssl/d1_both.c.
I am synced in with Ubuntu 14.04 LTS. Why is OpenSSL 1.0.1f still being pushed to the repositories?
Probably the wrong place to voice an opinion, but please (Canonical) post an updated version that addresses the "ancient" Heart-Bleed issue reported months ago. The OpenSSL release that should be made available is (at least) 1.0.1g.