Commit eb07ed1d authored by Thomas Vincent's avatar Thomas Vincent

[DSA 3053-1] openssl security update

CVS version numbers

english/security/2014/dsa-3053.data: INITIAL -> 1.1 
english/security/2014/dsa-3053.wml: INITIAL -> 1.1
parent 51808663
<define-tag pagetitle>DSA-3053-1 openssl</define-tag>
<define-tag report_date>2014-10-16</define-tag>
<define-tag secrefs>CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568</define-tag>
<define-tag packages>openssl</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
<define-tag fixed-section>no</define-tag>
#use wml::debian::security
</dl>
<define-tag description>security update</define-tag>
<define-tag moreinfo>
<p>Several vulnerabilities have been found in OpenSSL, the Secure Sockets
Layer library and toolkit.</p>
<ul>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2014-3513">CVE-2014-3513</a>
<p>A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure
Real-time Transport Protocol (SRTP) extension data. A remote attacker
could send multiple specially crafted handshake messages to exhaust
all available memory of an SSL/TLS or DTLS server.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2014-3566">CVE-2014-3566 ("POODLE")</a>
<p>A flaw was found in the way SSL 3.0 handled padding bytes when
decrypting messages encrypted using block ciphers in cipher block
chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM)
attacker to decrypt a selected byte of a cipher text in as few as 256
tries if they are able to force a victim application to repeatedly send
the same data over newly created SSL 3.0 connections. </p>
<p>This update adds support for Fallback SCSV to mitigate this issue.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2014-3567">CVE-2014-3567</a>
<p>A memory leak flaw was found in the way an OpenSSL handled failed
session ticket integrity checks. A remote attacker could exhaust all
available memory of an SSL/TLS or DTLS server by sending a large number
of invalid session tickets to that server. </p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2014-3568">CVE-2014-3568</a>
<p>When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.</p></li>
</ul>
<p>For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u13.</p>
<p>For the unstable distribution (sid), these problems have been fixed in
version 1.0.1j-1.</p>
<p>We recommend that you upgrade your openssl packages.</p>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/security/2014/dsa-3053.data"
# $Id$
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment