[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1XhIwn-0001Sx-2a@titan.mandriva.com>
Date: Thu, 23 Oct 2014 16:01:01 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:203 ] openssl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:203
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : openssl
Date : October 23, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in openssl:
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol
downgrade. Some client applications (such as browsers) will reconnect
using a downgraded protocol to work around interoperability bugs in
older servers. This could be exploited by an active man-in-the-middle
to downgrade connections to SSL 3.0 even if both sides of the
connection support higher protocols. SSL 3.0 contains a number of
weaknesses including POODLE (CVE-2014-3566).
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack (CVE-2014-3567).
The updated packages have been upgraded to the 1.0.0o version where
these security flaws has been fixed.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
https://www.openssl.org/news/secadv_20141015.txt
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
054c36eb1d59a0556ab17a1627f869d2 mbs1/x86_64/lib64openssl1.0.0-1.0.0o-1.mbs1.x86_64.rpm
aaff926dab60e6d5635afde92edd9c91 mbs1/x86_64/lib64openssl-devel-1.0.0o-1.mbs1.x86_64.rpm
27a964cb0697f9a8d0c487db11928cca mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0o-1.mbs1.x86_64.rpm
012ccb3cd7acc23e33666290036d0ec9 mbs1/x86_64/lib64openssl-static-devel-1.0.0o-1.mbs1.x86_64.rpm
dba56f5d00437cfb90c7fecaa7dc2e86 mbs1/x86_64/openssl-1.0.0o-1.mbs1.x86_64.rpm
89ba517c11cc244d57ecb98ec4be4140 mbs1/SRPMS/openssl-1.0.0o-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFUSPwVmqjQ0CJFipgRAoQHAKCIgL44O4dBEo3ep06OX6hAeXC1NQCeL5MZ
edOuyF2nZMTtzX6h+9r58OU=
=MJxs
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists