Alerts This Week
Warning Icon 1 525
Alerts This Week
Warning Icon 1 525

openSUSE: 2014:0764-1 Critical: OpenSSL Security Update for Systems

opensuse
Calendar Grey June 6, 2014
Dist Opensuse Esm H88
Ubuntu releases urgent patch for GnuTLS fixing three vulnerabilities. Protect your environments immediately with version 3.6.7.
An update that fixes four vulnerabilities is now available

Description

The openssl library was updated to version 1.0.1h fixing various security

issues and bugs:

Security issues fixed:

- CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully

crafted handshake can force the use of weak keying material in OpenSSL

SSL/TLS clients and servers.

- CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS

handshake to an OpenSSL DTLS client the code can be made to recurse

eventually crashing in a DoS attack.

- CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer

overrun attack can be triggered by sending invalid DTLS fragments to an

OpenSSL DTLS client or server. This is potentially exploitable to run

arbitrary code on a vulnerable client or server.

- CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH

ciphersuites are subject to a denial of service attack.

Topics%20covered

Topics Covered

security advisory security issue update critical DoS openssl openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-410

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-410

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 13.1 (i586 x86_64):

libopenssl-devel-1.0.1h-11.48.1

libopenssl1_0_0-1.0.1h-11.48.1

libopenssl1_0_0-debuginfo-1.0.1h-11.48.1

openssl-1.0.1h-11.48.1

openssl-debuginfo-1.0.1h-11.48.1

openssl-debugsource-1.0.1h-11.48.1

- openSUSE 13.1 (x86_64):

libopenssl-devel-32bit-1.0.1h-11.48.1

libopenssl1_0_0-32bit-1.0.1h-11.48.1

libopenssl1_0_0-debuginfo-32bit-1.0.1h-11.48.1

- openSUSE 13.1 (noarch):

openssl-doc-1.0.1h-11.48.1

- openSUSE 12.3 (i586 x86_64):

libopenssl-devel-1.0.1h-1.60.1

libopenssl1_0_0-1.0.1h-1.60.1

libopenssl1_0_0-debuginfo-1.0.1h-1.60.1

openssl-1.0.1h-1.60.1

openssl-debuginfo-1.0.1h-1.60.1

openssl-debugsource-1.0.1h-1.60.1

- openSUSE 12.3 (x86_64):

libopenssl-devel-32bit-1.0.1h-1.60.1

libopenssl1_0_0-32bit-1.0.1h-1.60.1

libopenssl1_0_0-debuginfo-32bit-1.0.1h-1.60.1

- openSUSE 12.3 (noarch):

openssl-doc-1.0.1h-1.60.1

References

https://www.suse.com/security/cve/CVE-2014-0195.html

https://www.suse.com/security/cve/CVE-2014-0221.html

https://www.suse.com/security/cve/CVE-2014-0224.html

https://www.suse.com/security/cve/CVE-2014-3470.html

Severity
critical
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2014:0764-1
Rating: critical
Affected Products: openSUSE 13.1 openSUSE 12.3 .

Topics%20covered

Topics Covered

security advisory security issue update critical DoS openssl openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here