[security-announce] Announcement: openssl 1.0.1h released to fix several vulnerabilities

5 Jun 2014

      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Today the openssl project released a new version of the openssl library
(openssl-1.0.1h) that fixes six/seven vulnerabilities. Details about the
vulnerabilities can be found in their advisory:
http://www.openssl.org/news/secadv_20140605.txt

List of issues:
1. SSL/TLS MITM vulnerability (CVE-2014-0224)
2. DTLS recursion flaw (CVE-2014-0221)
3. DTLS invalid fragment vulnerability (CVE-2014-0195)
4. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
5. SSL_MODE_RELEASE_BUFFERS session injection or denial of service
   (CVE-2010-5298)
6. Anonymous ECDH denial of service (CVE-2014-3470)
7. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD
  (CVE-2014-0076)

We ship the following openssl versions which are affected by...:
- - SLES9: openssl 0.9.7d
	+ SSL/TLS MITM vulnerability (CVE-2014-0224)
- - SLE10: openssl 0.9.8a
	+ SSL/TLS MITM vulnerability (CVE-2014-0224)
	+ DTLS recursion flaw (CVE-2014-0221)
- - SLE11: openssl 0.9.8j
	+ SSL/TLS MITM vulnerability (CVE-2014-0224)
	+ DTLS recursion flaw (CVE-2014-0221)
	+ Anonymous ECDH denial of service (CVE-2014-3470)
- - Security AddON for SLES11: openssl 1.0.1g
	+ SSL/TLS MITM vulnerability (CVE-2014-0224)
	+ DTLS recursion flaw (CVE-2014-0221)
	+ DTLS invalid fragment vulnerability (CVE-2014-0195)
	+ SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
	  (CVE-2014-0198)
	+ Anonymous ECDH denial of service (CVE-2014-3470)
- - opensuse: openssl 1.0.1*
	+ SSL/TLS MITM vulnerability (CVE-2014-0224)
	+ DTLS recursion flaw (CVE-2014-0221)
	+ DTLS invalid fragment vulnerability (CVE-2014-0195)
	+ SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
	  (CVE-2014-0198)
	+ Anonymous ECDH denial of service (CVE-2014-3470)

An update package for CVE-2014-0076 was released in April 2014, see
http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html.

DTLS invalid fragment vulnerability (CVE-2014-0195): This issue affects
only versions starting from 0.9.8o, therefore 0.9.8j is not affected by
this remote buffer overflow.

The updates will be released as soon as possible.

Best regards,
Thomas
- -- 
Thomas Biege , Team Leader MaintenanceSecurity, CSSLP
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
HRB 21284 (AG Nürnberg)
- --
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEVAwUBU5CEfHey5gA9JdPZAQLC0gf/Y4M29yMsWf1fBUZP6VCFbDK03UAT0HhI
Srdx4FgSwr3Rda6M52UKqP8HdP2yv9/G30NGHihX7Gz6hStc8G/bvj8RyVGPlUh4
XadWUVztnSct1v68z45Z1zk53XBVsK5lIpxORX04LW0EPQytYAltD7/W4wvNtwBU
Y7Ji1WDb+L6sGHyZn9Cp2Zvs30+jraf10MK/L7tYuvdNoOJTVfgrlzt+dfFKIuuW
5Az7KXb8J21CEk4DVhO5CG2ogNjsVR/K7b7vlWFxYorhfkKr1tXi5SKSXooD1WPY
ovMhZFfopkKuuor898Xpyzb54Qjcc7eMDS3Pk7jDo9lBifY6loJqLw==
=bSsy
-----END PGP SIGNATURE-----
-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Thomas Biege

tags

participants (1)