| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Jun 2014 18:50:35 -0400 From: Cisco Systems Product Security Incident Response Team <psirt@...co.com> To: bugtraq@...urityfocus.com Cc: psirt@...co.com Subject: Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products Advisory ID: cisco-sa-20140605-openssl Revision 1.0 For Public Release 2014 June 5 22:00 UTC (GMT) Summary ======= Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or preform a man-in-the-middle attack. On June 5, 2014 the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: SSL/TLS Man-in-the-Middle Vulnerability DTLS Recursion Flaw Vulnerability DTLS Invalid Fragment Vulnerability SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability Anonymous ECDH Denial of Service Vulnerability ECDSA NONCE Side-Channel Recovery Attack Vulnerability Please note that the devices that are affected by this vulnerability are the devices acting as an Secure Socket Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTkPEcAAoJEIpI1I6i1Mx3Da0P/18NQm3NYCYi65h6m6Ik3/W8 47Zuz/VuXCJ9fvlboaW04P5P8IyO/Upc4jz6Py5Cmh2eX+BF2/CvlKv2r2lWAucr Pbeyu8O/TTKGr/OsgdUsy8xT8WS7cxekHdt0yL0fkGzmYaNhfx1oSMB8xbnpCmHk pGV4gMdYyfJvnU1C913yLUQC7Mq3mqwwQ/rOcJ9Fy5uZJsTrd4dOLPEC6pyJoVfU 2EySkNMTsO4/WXubV6Q1YuOHG0Epw6XA7tP+wPms/lV7URQdbuNECnQNi4VZD/rY bOIIXTDdhilHMKrQ9kAmj8R70rCjyarmkfymHUldXGPrPo6KNvR3VUAcCHko1JId GV98OTzYHT2WpizMnTGPgWmiQbkvTWNeG4yFkrQB5wIP+HYm158KOWigbSC8Pwur /A8GdU59LNp8m7nl217pTiYo9IZrjvytND9FF37kA3FJLxgdrzpDAMFuMANNZgGB 0Gd/hDITH2nDRDgeZkMZG/PIJCKH4R3i+SEM87ab/iF6MUZw1jg28L1LOXt9qHv6 IfWWwjtn8ctUHIltpMPClanhylWb27L9Ga8+8xsi7Ongpn8p3RLeZen9CI+xDTye R5jSeDpFR5RuEYhHel+iEyDQ8OMGX+/0osMPP9HGS879dHl3PSzkcUHMOSSiN3gO 5Xt+qD9XKxD7u0Wmkk44 =xPVJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists