Heartbleed Bug

Set privacy to Public, as this is an already disclosed issue.

Nevermind, need to close this. Ubuntu has already addressed, the package versioning was misleading (to me at least): http://www.ubuntu.com/usn/usn-2165-1/

14.04 is released in 2 days but this fix does not seem to be applied... the USN notification lists only up to 13.10, but as of today:-

james@trinity:~$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

james@trinity:~$ date
Tue Apr 15 16:56:45 BST 2014

james@trinity:~$ more /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04 LTS"
james@trinity:~$

Heartbleed was fixed in Ubuntu 14.04 by the 1.0.1f-1ubuntu2 package that I uploaded on April 7th.

From the changelog:

openssl (1.0.1f-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
      util/libeay.num.
    - CVE-2014-0076
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
      ssl/d1_both.c, ssl/t1_lib.c.
    - CVE-2014-0160

 -- Marc Deslauriers <email address hidden> Mon, 07 Apr 2014 15:37:53 -0400

OK, apt-get changelog openssl shows that there is a backported fix (I hate backported fixes because it makes it very hard to know if you have a vulnerable version or not)...

I imagine having your version labeled 1.0.1f and dated in January will probably generate more than a few support calls I think!?

Re: james-fsck, that's the same issue that caused me to log this ticket in the first place, as the backported versions didn't make it apparent that they were up-to-date (neither version or date reflect it). Quite misleading.