Lucene search

K
debianDebianDEBIAN:DLA-132-1:941A7
HistoryJan 11, 2015 - 1:16 p.m.

[SECURITY] [DLA 132-1] openssl security update

2015-01-1113:16:17
lists.debian.org
31

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.12 Low

EPSS

Percentile

95.2%

Package : openssl
Version : 0.9.8o-4squeeze19
CVE ID : CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275
CVE-2015-0204

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2014-3570

Pieter Wuille of Blockstream reported that the bignum squaring
(BN_sqr) may produce incorrect results on some platforms, which
might make it easier for remote attackers to defeat cryptographic
protection mechanisms.

CVE-2014-3571

Markus Stenberg of Cisco Systems, Inc. reported that a carefully
crafted DTLS message can cause a segmentation fault in OpenSSL due
to a NULL pointer dereference. A remote attacker could use this flaw
to mount a denial of service attack.

CVE-2014-3572

Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that an
OpenSSL client would accept a handshake using an ephemeral ECDH
ciphersuite if the server key exchange message is omitted. This
allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks
and trigger a loss of forward secrecy.

CVE-2014-8275

Antti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project
and Konrad Kraszewski of Google reported various certificate
fingerprint issues, which allow remote attackers to defeat a
fingerprint-based certificate-blacklist protection mechanism.

CVE-2015-0204

Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that
an OpenSSL client will accept the use of an ephemeral RSA key in a
non-export RSA key exchange ciphersuite, violating the TLS
standard. This allows remote SSL servers to downgrade the security
of the session.

Attachment:
signature.asc
Description: Digital signature

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.12 Low

EPSS

Percentile

95.2%