[security-announce] Announcement: openssl 1.0.1h released to fix several vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Today the openssl project released a new version of the openssl library
(openssl-1.0.1h) that fixes six/seven vulnerabilities. Details about the
vulnerabilities can be found in their advisory:
http://www.openssl.org/news/secadv_20140605.txt
List of issues:
1. SSL/TLS MITM vulnerability (CVE-2014-0224)
2. DTLS recursion flaw (CVE-2014-0221)
3. DTLS invalid fragment vulnerability (CVE-2014-0195)
4. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
5. SSL_MODE_RELEASE_BUFFERS session injection or denial of service
(CVE-2010-5298)
6. Anonymous ECDH denial of service (CVE-2014-3470)
7. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD
(CVE-2014-0076)
We ship the following openssl versions which are affected by...:
- - SLES9: openssl 0.9.7d
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
- - SLE10: openssl 0.9.8a
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
- - SLE11: openssl 0.9.8j
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ Anonymous ECDH denial of service (CVE-2014-3470)
- - Security AddON for SLES11: openssl 1.0.1g
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ DTLS invalid fragment vulnerability (CVE-2014-0195)
+ SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
(CVE-2014-0198)
+ Anonymous ECDH denial of service (CVE-2014-3470)
- - opensuse: openssl 1.0.1*
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ DTLS invalid fragment vulnerability (CVE-2014-0195)
+ SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
(CVE-2014-0198)
+ Anonymous ECDH denial of service (CVE-2014-3470)
An update package for CVE-2014-0076 was released in April 2014, see
http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html.
DTLS invalid fragment vulnerability (CVE-2014-0195): This issue affects
only versions starting from 0.9.8o, therefore 0.9.8j is not affected by
this remote buffer overflow.
The updates will be released as soon as possible.
Best regards,
Thomas
- --
Thomas Biege
participants (1)
-
Thomas Biege