6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.471 Medium
EPSS
Percentile
97.4%
Package : openssl
Version : 0.9.8o-4squeeze21
CVE ID : CVE-2014-8176 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791
CVE-2015-1792 CVE-2015-4000
Multiple vulnerabilities were discovered in OpenSSL, a Secure Sockets
Layer toolkit.
CVE-2014-8176
Praveen Kariyanahalli, Ivan Fratric and Felix Groebert discovered
that an invalid memory free could be triggered when buffering DTLS
data. This could allow remote attackers to cause a denial of service
(crash) or potentially execute arbitrary code. This issue only
affected the oldstable distribution (wheezy).
CVE-2015-1789
Robert Swiecki and Hanno B??ck discovered that the X509_cmp_time
function could read a few bytes out of bounds. This could allow remote
attackers to cause a denial of service (crash) via crafted
certificates and CRLs.
CVE-2015-1790
Michal Zalewski discovered that the PKCS#7 parsing code did not
properly handle missing content which could lead to a NULL pointer
dereference. This could allow remote attackers to cause a denial of
service (crash) via crafted ASN.1-encoded PKCS#7 blobs.
CVE-2015-1791
Emilia K??sper discovered that a race condition could occur due to
incorrect handling of NewSessionTicket in a multi-threaded client,
leading to a double free. This could allow remote attackers to cause
a denial of service (crash).
CVE-2015-1792
Johannes Bauer discovered that the CMS code could enter an infinite
loop when verifying a signedData message, if presented with an
unknown hash function OID. This could allow remote attackers to cause
a denial of service.
Additionally OpenSSL will now reject handshakes using DH parameters
shorter than 768 bits as a countermeasure against the Logjam attack
(CVE-2015-4000).
Attachment:
signature.asc
Description: Digital signature
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 7 | mips | libcrypto1.0.0-udeb | < 1.0.1e-2+deb7u17 | libcrypto1.0.0-udeb_1.0.1e-2+deb7u17_mips.deb |
Debian | 7 | s390x | libssl-dev | < 1.0.1e-2+deb7u17 | libssl-dev_1.0.1e-2+deb7u17_s390x.deb |
Debian | 8 | armhf | libssl1.0.0-dbg | < 1.0.1k-3+deb8u1 | libssl1.0.0-dbg_1.0.1k-3+deb8u1_armhf.deb |
Debian | 7 | ia64 | libcrypto1.0.0-udeb | < 1.0.1e-2+deb7u17 | libcrypto1.0.0-udeb_1.0.1e-2+deb7u17_ia64.deb |
Debian | 7 | mipsel | libssl1.0.0-dbg | < 1.0.1e-2+deb7u17 | libssl1.0.0-dbg_1.0.1e-2+deb7u17_mipsel.deb |
Debian | 7 | powerpc | libssl1.0.0 | < 1.0.1e-2+deb7u17 | libssl1.0.0_1.0.1e-2+deb7u17_powerpc.deb |
Debian | 8 | s390x | openssl | < 1.0.1k-3+deb8u1 | openssl_1.0.1k-3+deb8u1_s390x.deb |
Debian | 7 | armel | libcrypto1.0.0-udeb | < 1.0.1e-2+deb7u17 | libcrypto1.0.0-udeb_1.0.1e-2+deb7u17_armel.deb |
Debian | 8 | mips | openssl | < 1.0.1k-3+deb8u1 | openssl_1.0.1k-3+deb8u1_mips.deb |
Debian | 7 | armhf | libssl1.0.0 | < 1.0.1e-2+deb7u17 | libssl1.0.0_1.0.1e-2+deb7u17_armhf.deb |