Status on CVE-2014-0160, aka "Heartbleed"

Robyn Bergeron rbergero at redhat.com
Tue Apr 8 03:01:24 UTC 2014


Greetings, Fedora community:

We're aware of the recently disclosed CVE-2014-0160 (aka 
"Heartbleed"):

https://bugzilla.redhat.com/show_bug.cgi?id=1085065 (openssl)
https://bugzilla.redhat.com/show_bug.cgi?id=1085066 (mingw-openssl)

The issue affects the currently supported Fedora 19 and Fedora 20 
releases. Updates for openssl packages are available now, and
mirrors near you will receive them shortly. If you do not want to 
wait for your local mirror to get updates, you can retrieve and 
install packages directly:

For Fedora 19 x86_64:
  yum -y install koji
  koji download-build --arch=x86_64 openssl-1.0.1e-37.fc19.1
  yum localinstall openssl-1.0.1e-37.fc19.1.x86_64.rpm

For Fedora 20 x86_64:
  yum -y install koji
  koji download-build --arch=x86_64 openssl-1.0.1e-37.fc20.1
  yum localinstall openssl-1.0.1e-37.fc20.1.x86_64.rpm

Substitute i686 for 32-bit systems, or armv7hl for ARM systems (F20
only).

Package updates for mingw-openssl will receive fixes shortly and 
we'll update the community when they are available. Note that 
Fedora 18, which is no longer supported by the Fedora community, is 
also affected by this issue. Fedora 17 and previous releases, also no 
longer supported, are not affected by this issue.

Fedora Release Engineering is currently regenerating AMIs and
qcow2/kvm images to include the fix.

The Fedora Infrastructure team is working to assess any additional 
impact, and will update the community as we develop more information.

Thanks for your patience as we work on this issue.

ACKNOWLEDGMENTS: Special thanks to Dennis Gilmore for quickly providing
package updates, and Major Hayden for providing the manual update
guidance above.


-Robyn Bergeron


More information about the announce mailing list