5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.12 Low
EPSS
Percentile
95.2%
Package : openssl
Version : 0.9.8o-4squeeze19
CVE ID : CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275
CVE-2015-0204
Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:
CVE-2014-3570
Pieter Wuille of Blockstream reported that the bignum squaring
(BN_sqr) may produce incorrect results on some platforms, which
might make it easier for remote attackers to defeat cryptographic
protection mechanisms.
CVE-2014-3571
Markus Stenberg of Cisco Systems, Inc. reported that a carefully
crafted DTLS message can cause a segmentation fault in OpenSSL due
to a NULL pointer dereference. A remote attacker could use this flaw
to mount a denial of service attack.
CVE-2014-3572
Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that an
OpenSSL client would accept a handshake using an ephemeral ECDH
ciphersuite if the server key exchange message is omitted. This
allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks
and trigger a loss of forward secrecy.
CVE-2014-8275
Antti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project
and Konrad Kraszewski of Google reported various certificate
fingerprint issues, which allow remote attackers to defeat a
fingerprint-based certificate-blacklist protection mechanism.
CVE-2015-0204
Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that
an OpenSSL client will accept the use of an ephemeral RSA key in a
non-export RSA key exchange ciphersuite, violating the TLS
standard. This allows remote SSL servers to downgrade the security
of the session.
Attachment:
signature.asc
Description: Digital signature
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | i386 | libssl0.9.8-dbg | < 0.9.8o-4squeeze19 | libssl0.9.8-dbg_0.9.8o-4squeeze19_i386.deb |
Debian | 6 | all | openssl | < 0.9.8o-4squeeze19 | openssl_0.9.8o-4squeeze19_all.deb |
Debian | 6 | i386 | libssl0.9.8 | < 0.9.8o-4squeeze19 | libssl0.9.8_0.9.8o-4squeeze19_i386.deb |
Debian | 7 | kfreebsd-i386 | libssl1.0.0-dbg | < 1.0.1e-2+deb7u14 | libssl1.0.0-dbg_1.0.1e-2+deb7u14_kfreebsd-i386.deb |
Debian | 7 | mips | libssl1.0.0 | < 1.0.1e-2+deb7u14 | libssl1.0.0_1.0.1e-2+deb7u14_mips.deb |
Debian | 7 | s390x | libcrypto1.0.0-udeb | < 1.0.1e-2+deb7u14 | libcrypto1.0.0-udeb_1.0.1e-2+deb7u14_s390x.deb |
Debian | 7 | kfreebsd-amd64 | libssl-dev | < 1.0.1e-2+deb7u14 | libssl-dev_1.0.1e-2+deb7u14_kfreebsd-amd64.deb |
Debian | 7 | s390 | openssl | < 1.0.1e-2+deb7u14 | openssl_1.0.1e-2+deb7u14_s390.deb |
Debian | 7 | ia64 | libssl1.0.0 | < 1.0.1e-2+deb7u14 | libssl1.0.0_1.0.1e-2+deb7u14_ia64.deb |
Debian | 7 | powerpc | libssl-dev | < 1.0.1e-2+deb7u14 | libssl-dev_1.0.1e-2+deb7u14_powerpc.deb |