openerp-community team mailing list archive

Thread
Date

Security issue : OpenSSL Security Advisory [07 Apr 2014]

To: "openerp-community@xxxxxxxxxxxxxxxxxxx Community" <openerp-community@xxxxxxxxxxxxxxxxxxx>
From: Peter Langenberg <peter.langenberg@xxxxxxxxxxxxx>
Date: Tue, 8 Apr 2014 14:31:58 +0200
Sender: peter@xxxxxxxxxxxxx

FYI ->

https://www.openssl.org/news/secadv_20140407.txt

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@xxxxxxxxxxxx> and Bodo Moeller <bmoeller@xxxxxxx> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.


Peter

Follow ups

Re: Security issue : OpenSSL Security Advisory [07 Apr 2014]
From: Peter Langenberg, 2014-04-08