Lucene search

K
suseSuseOPENSUSE-SU-2014:0764-1
HistoryJun 06, 2014 - 11:04 a.m.

openssl: update to version 1.0.1h (critical)

2014-06-0611:04:41
lists.opensuse.org
30

0.974 High

EPSS

Percentile

99.9%

The openssl library was updated to version 1.0.1h fixing various security
issues and bugs:

Security issues fixed:

  • CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully
    crafted handshake can force the use of weak keying material in OpenSSL
    SSL/TLS clients and servers.
  • CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS
    handshake to an OpenSSL DTLS client the code can be made to recurse
    eventually crashing in a DoS attack.
  • CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
    overrun attack can be triggered by sending invalid DTLS fragments to an
    OpenSSL DTLS client or server. This is potentially exploitable to run
    arbitrary code on a vulnerable client or server.
  • CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH
    ciphersuites are subject to a denial of service attack.