4

I have read that there is a bug in SSL called heart bleed bug. Has Ubuntu 14.04 shipped along with this bug or has it been resolved in this release?

Braiam
  • 67,791
  • 32
  • 179
  • 269
M.Tarun
  • 5,001
  • 6
  • 33
  • 64
  • And see my answer to: http://askubuntu.com/questions/450076/openssl-remains-vulnerable-after-update-to-14-04 – david6 Apr 19 '14 at 00:44

2 Answers2

5

If I get this right you're secure:

openssl (1.0.1f-1ubuntu2) trusty; urgency=medium

  • SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    • debian/patches/CVE-2014-0076.patch: add and use constant time swap in crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c, util/libeay.num.
    • CVE-2014-0076
  • SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    • debian/patches/CVE-2014-0160.patch: use correct lengths in ssl/d1_both.c, ssl/t1_lib.c.
    • CVE-2014-0160

-- Marc Deslauriers Mon, 07 Apr 2014 15:37:53 -0400

Zanna
  • 70,465
SvenniBenni
  • 116
  • 5
3

Yes, provided you've installed the latest updates. The latest version of openssl in the 14.04 repositories is 1.0.1f-1ubuntu2. You can check that you're running that version by opening a terminal and running: apt-cache show openssl | grep Version

Johan
  • 31
  • 1