CVE-2014-0160 (NVD)

2014-04-07

Heartbleed - The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Products Symantec_messaging_gateway, Ubuntu_linux, Debian_linux, Fedora, Filezilla_server, V100_firmware, V60_firmware, Micollab, Mivoice, Openssl, Opensuse, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Gluster_storage, Storage, Virtualization, S9922l_firmware, Application_processing_engine_firmware, Cp_1543\-1_firmware, Elan\-8\.2, Simatic_s7\-1500_firmware, Simatic_s7\-1500t_firmware, Wincc_open_architecture, Splunk
Type Out-of-bounds Read (CWE-125)
First patch http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
Relevant file/s • ./ssl/d1_both.c
• ./ssl/t1_lib.c
• ./CHANGES (modified, +9)
Links http://marc.info/?l=bugtraq&m=139905202427693&w=2
https://www.cert.fi/en/reports/2014/vulnerability788210.html
http://marc.info/?l=bugtraq&m=139757819327350&w=2
http://marc.info/?l=bugtraq&m=140015787404650&w=2
http://marc.info/?l=bugtraq&m=139774054614965&w=2
Last changed by Ruslan Habalov
Goto simplified view

openssl - Tree: 96db9023b8

(? files)

Filter Settings
Files
Navigation
Patch data:

(on by default)


Patched area:
Sections: