191 matches found
Debian DSA-3125-1 : openssl - security update (FREAK)
Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2014-3569 Frank Schmirler reported that the ssl23getclienthello function in OpenSSL does not properly handle attempts ...
DSA-3125-1 openssl - security update
Bulletin has no description...
CVE-2014-3572
The ssl3getkeyexchange function in s3clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message...
Code injection
The ssl3getkeyexchange function in s3clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORTRSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to...
CVE-2015-0204
The ssl3getkeyexchange function in s3clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORTRSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to...
CVE-2014-3572
The ssl3getkeyexchange function in s3clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message...
Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Web Platform 5.2.0 security update
An update for Red Hat JBoss Enterprise Web Platform 5.2.0 that provides a patch to mitigate the CVE-2014-3566 issue is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Red Hat JBoss Enterprise Web Platform is a...
libzmq4 -- V3 protocol handler vulnerable to downgrade attacks
Pieter Hintjens reports: It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a ZMTP v2 or earlier header. The library accepts such connections without applying its security mechanism...
Scientific Linux Security Update : nss, nss-util, and nss-softokn on SL5.x, SL6.x, SL7.x i386/x86_64 (20141202) (POODLE)
This update adds support for the TLS Fallback Signaling Cipher Suite Value TLSFALLBACKSCSV, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol...
RHEL 5 / 6 / 7 : nss, nss-util, and nss-softokn (RHSA-2014:1948) (POODLE)
Updated nss, nss-util, and nss-softokn packages that contain a patch to mitigate the CVE-2014-3566 issue, fix a number of bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security...
Code injection
PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors...
CVE-2014-8627
CVE-2014-8627 affects PolarSSL 1.3.8 where signature algorithm negotiation is flawed, enabling downgrade-like scenarios via unspecified vectors. Public sources (NVD/NASL/Nessus/OpenVAS) describe downgrad e risk and context; a patch path is to upgrade to newer PolarSSL versions (e.g., 1.3.9) as no...
CVE-2014-5277
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to...
PYSEC-2014-80
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to...
CVE-2014-5277
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to...
MGASA-2014-0416 Updated openssl packages fix security vulnerabilities
This update adds support for the TLS Fallback Signaling Cipher Suite Value TLSFALLBACKSCSV, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol...
Important: Red Hat Security Advisory: openssl security update
Updated openssl packages that contain a backported patch to mitigate the CVE-2014-3566 issue and fix two security issues are now available for Red Hat Storage 2.1. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base...
Scientific Linux Security Update : openssl on SL5.x i386/x86_64 (20141016) (POODLE)
This update adds support for the TLS Fallback Signaling Cipher Suite Value TLSFALLBACKSCSV, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol...
CentOS Update for openssl CESA-2014:1653 centos5
Check the version of openssl SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.882063";...
CentOS Update for openssl CESA-2014:1652 centos7
Check the version of openssl SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.882062";...