| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Oct 2014 16:01:01 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2014:203 ] openssl -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:203 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : openssl Date : October 23, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in openssl: OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack (CVE-2014-3567). The updated packages have been upgraded to the 1.0.0o version where these security flaws has been fixed. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 https://www.openssl.org/news/secadv_20141015.txt _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 054c36eb1d59a0556ab17a1627f869d2 mbs1/x86_64/lib64openssl1.0.0-1.0.0o-1.mbs1.x86_64.rpm aaff926dab60e6d5635afde92edd9c91 mbs1/x86_64/lib64openssl-devel-1.0.0o-1.mbs1.x86_64.rpm 27a964cb0697f9a8d0c487db11928cca mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0o-1.mbs1.x86_64.rpm 012ccb3cd7acc23e33666290036d0ec9 mbs1/x86_64/lib64openssl-static-devel-1.0.0o-1.mbs1.x86_64.rpm dba56f5d00437cfb90c7fecaa7dc2e86 mbs1/x86_64/openssl-1.0.0o-1.mbs1.x86_64.rpm 89ba517c11cc244d57ecb98ec4be4140 mbs1/SRPMS/openssl-1.0.0o-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFUSPwVmqjQ0CJFipgRAoQHAKCIgL44O4dBEo3ep06OX6hAeXC1NQCeL5MZ edOuyF2nZMTtzX6h+9r58OU= =MJxs -----END PGP SIGNATURE-----
Powered by blists - more mailing lists