ID:

CVE-2014-0160 (NVD)

- Vulnerability Info (edit)
2014-04-07

Heartbleed - The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Products openssl
Type Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
First patch
2014-04-07
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
"Add heartbeat extension bounds check. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the..."
fix (CVE-2014-0160)


Stats: +36 lines / -13 lines (total: 49 lines)
Patches https://gist.github.com/chapmajs/10473815
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
Relevant file/s • ./ssl/t1_lib.c
• ./ssl/d1_both.c
• ./CHANGES (modified, +9)
Links http://www.us-cert.gov/ncas/alerts/TA14-098A
http://rhn.redhat.com/errata/RHSA-2014-0396.html
http://marc.info/?l=bugtraq&m=139757726426985&w=2
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html
Annotation
Goto simplified view

openssl - Tree: 96db9023b8

(? files)

Filter Settings
Files
Metadata

Editor

Patched area:
Sections:

Editor control keys:
  • v: mark/unmark section as vulnerable
  • i: mark/unmark section as irrelevant
  • c: add comment to currently selected line