Mailinglist Archive: opensuse-security-announce (32 mails)

< Previous Next >
[security-announce] Announcement: openssl 1.0.1h released to fix several vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Today the openssl project released a new version of the openssl library
(openssl-1.0.1h) that fixes six/seven vulnerabilities. Details about the
vulnerabilities can be found in their advisory:
http://www.openssl.org/news/secadv_20140605.txt

List of issues:
1. SSL/TLS MITM vulnerability (CVE-2014-0224)
2. DTLS recursion flaw (CVE-2014-0221)
3. DTLS invalid fragment vulnerability (CVE-2014-0195)
4. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
5. SSL_MODE_RELEASE_BUFFERS session injection or denial of service
(CVE-2010-5298)
6. Anonymous ECDH denial of service (CVE-2014-3470)
7. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD
(CVE-2014-0076)

We ship the following openssl versions which are affected by...:
- - SLES9: openssl 0.9.7d
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
- - SLE10: openssl 0.9.8a
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
- - SLE11: openssl 0.9.8j
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ Anonymous ECDH denial of service (CVE-2014-3470)
- - Security AddON for SLES11: openssl 1.0.1g
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ DTLS invalid fragment vulnerability (CVE-2014-0195)
+ SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
(CVE-2014-0198)
+ Anonymous ECDH denial of service (CVE-2014-3470)
- - opensuse: openssl 1.0.1*
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ DTLS invalid fragment vulnerability (CVE-2014-0195)
+ SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
(CVE-2014-0198)
+ Anonymous ECDH denial of service (CVE-2014-3470)

An update package for CVE-2014-0076 was released in April 2014, see
http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html.

DTLS invalid fragment vulnerability (CVE-2014-0195): This issue affects
only versions starting from 0.9.8o, therefore 0.9.8j is not affected by
this remote buffer overflow.

The updates will be released as soon as possible.

Best regards,
Thomas
- --
Thomas Biege <thomas@xxxxxxx>, Team Leader MaintenanceSecurity, CSSLP
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imend├Ârffer
HRB 21284 (AG N├╝rnberg)
- --
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEVAwUBU5CEfHey5gA9JdPZAQLC0gf/Y4M29yMsWf1fBUZP6VCFbDK03UAT0HhI
Srdx4FgSwr3Rda6M52UKqP8HdP2yv9/G30NGHihX7Gz6hStc8G/bvj8RyVGPlUh4
XadWUVztnSct1v68z45Z1zk53XBVsK5lIpxORX04LW0EPQytYAltD7/W4wvNtwBU
Y7Ji1WDb+L6sGHyZn9Cp2Zvs30+jraf10MK/L7tYuvdNoOJTVfgrlzt+dfFKIuuW
5Az7KXb8J21CEk4DVhO5CG2ogNjsVR/K7b7vlWFxYorhfkKr1tXi5SKSXooD1WPY
ovMhZFfopkKuuor898Xpyzb54Qjcc7eMDS3Pk7jDo9lBifY6loJqLw==
=bSsy
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages