GLSA-201404-07 : OpenSSL: Information Disclosure
High Nessus Plugin ID 73407
Synopsis
The remote Gentoo host is missing one or more security-related patches.
Description
The remote host is affected by the vulnerability described in GLSA-201404-07 (OpenSSL: Information Disclosure)
Multiple vulnerabilities have been found in OpenSSL:
OpenSSL incorrectly handles memory in the TLS heartbeat extension, leading to information disclosure of 64kb per request, possibly including private keys (“Heartbleed bug”, OpenSSL 1.0.1 only, CVE-2014-0160).
The Montgomery ladder implementation of OpenSSL improperly handles swap operations (CVE-2014-0076).
Impact :
A remote attacker could exploit these issues to disclose information, including private keys or other sensitive information, or perform side-channel attacks to obtain ECDSA nonces.
Workaround :
Disabling the tls-heartbeat USE flag (enabled by default) provides a workaround for the CVE-2014-0160 issue.
Solution
All OpenSSL users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=dev-libs/openssl-1.0.1g' Note: All services using OpenSSL to provide TLS connections have to be restarted for the update to take effect. Utilities like app-admin/lib_users can aid in identifying programs using OpenSSL.
As private keys may have been compromised using the Heartbleed attack, it is recommended to regenerate them.