Debian: DSA-3053-1: openssl security update

    Date16 Oct 2014
    CategoryDebian
    20
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities have been found in OpenSSL, the Secure Sockets Layer library and toolkit. CVE-2014-3513
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-3053-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Thijs Kinkhorst
    October 16, 2014                       http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : openssl
    CVE ID         : CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568
    
    Several vulnerabilities have been found in OpenSSL, the Secure Sockets
    Layer library and toolkit.
    
    CVE-2014-3513
    
        A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure
        Real-time Transport Protocol (SRTP) extension data. A remote attacker
        could send multiple specially crafted handshake messages to exhaust
        all available memory of an SSL/TLS or DTLS server.
    
    CVE-2014-3566 ("POODLE")
    
        A flaw was found in the way SSL 3.0 handled padding bytes when
        decrypting messages encrypted using block ciphers in cipher block
        chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM)
        attacker to decrypt a selected byte of a cipher text in as few as 256
        tries if they are able to force a victim application to repeatedly send
        the same data over newly created SSL 3.0 connections. 
    
        This update adds support for Fallback SCSV to mitigate this issue.
    
    CVE-2014-3567
    
        A memory leak flaw was found in the way an OpenSSL handled failed
        session ticket integrity checks. A remote attacker could exhaust all
        available memory of an SSL/TLS or DTLS server by sending a large number
        of invalid session tickets to that server. 
    
    CVE-2014-3568
    
        When OpenSSL is configured with "no-ssl3" as a build option, servers
        could accept and complete a SSL 3.0 handshake, and clients could be
        configured to send them.
    
    For the stable distribution (wheezy), these problems have been fixed in
    version 1.0.1e-2+deb7u13.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 1.0.1j-1.
    
    We recommend that you upgrade your openssl packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.