DebianDEBIAN:SSL-:DD9E5openssl security update
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Package: openssl
Version: 0.9.8o-4squeeze15
CVE ID: CVE-2014-0076 CVE-2014-0195 CVE-2014-0221 CVE-2014-3470 CVE-2014-0224
CVE-2014-0195
Jueri Aedla discovered that a buffer overflow in processing DTLS
fragments could lead to the execution of arbitrary code or denial
of service.
CVE-2014-0221
Imre Rad discovered the processing of DTLS hello packets is
susceptible to denial of service.
CVE-2014-0224
KIKUCHI Masashi discovered that carefully crafted handshakes can
force the use of weak keys, resulting in potential man-in-the-middle
attacks.
CVE-2014-3470
Felix Groebert and Ivan Fratric discovered that the implementation of
anonymous ECDH ciphersuites is suspectible to denial of service.
CVE-2014-0076
Fix for the attack described in the paper "Recovering
OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
Reported by Yuval Yarom and Naomi Benger.
Additional information can be found at
http://www.openssl.org/news/secadv_20140605.txt
All applications linked to openssl need to be restarted. You can
use the tool checkrestart from the package debian-goodies to
detect affected programs or reboot your system.
It's important that you upgrade the libssl0.9.8 package and not
just the openssl package.
Related
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%