You are here
Home > Preporuke > Ranjivosti programskog paketa openssl

Ranjivosti programskog paketa openssl

by ncert - 0

openSUSE Security Update: openssl: update to version 1.0.1h
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:0764-1
Rating: critical
References: #880891
Cross-References: CVE-2014-0195 CVE-2014-0221 CVE-2014-0224
CVE-2014-3470
Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

The openssl library was updated to version 1.0.1h fixing various security
issues and bugs:

Security issues fixed:
– CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully
crafted handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
– CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS
handshake to an OpenSSL DTLS client the code can be made to recurse
eventually crashing in a DoS attack.
– CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
overrun attack can be triggered by sending invalid DTLS fragments to an
OpenSSL DTLS client or server. This is potentially exploitable to run
arbitrary code on a vulnerable client or server.
– CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH
ciphersuites are subject to a denial of service attack.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE 13.1:

zypper in -t patch openSUSE-2014-410

– openSUSE 12.3:

zypper in -t patch openSUSE-2014-410

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE 13.1 (i586 x86_64):

libopenssl-devel-1.0.1h-11.48.1
libopenssl1_0_0-1.0.1h-11.48.1
libopenssl1_0_0-debuginfo-1.0.1h-11.48.1
openssl-1.0.1h-11.48.1
openssl-debuginfo-1.0.1h-11.48.1
openssl-debugsource-1.0.1h-11.48.1

– openSUSE 13.1 (x86_64):

libopenssl-devel-32bit-1.0.1h-11.48.1
libopenssl1_0_0-32bit-1.0.1h-11.48.1
libopenssl1_0_0-debuginfo-32bit-1.0.1h-11.48.1

– openSUSE 13.1 (noarch):

openssl-doc-1.0.1h-11.48.1

– openSUSE 12.3 (i586 x86_64):

libopenssl-devel-1.0.1h-1.60.1
libopenssl1_0_0-1.0.1h-1.60.1
libopenssl1_0_0-debuginfo-1.0.1h-1.60.1
openssl-1.0.1h-1.60.1
openssl-debuginfo-1.0.1h-1.60.1
openssl-debugsource-1.0.1h-1.60.1

– openSUSE 12.3 (x86_64):

libopenssl-devel-32bit-1.0.1h-1.60.1
libopenssl1_0_0-32bit-1.0.1h-1.60.1
libopenssl1_0_0-debuginfo-32bit-1.0.1h-1.60.1

– openSUSE 12.3 (noarch):

openssl-doc-1.0.1h-1.60.1

References:

http://support.novell.com/security/cve/CVE-2014-0195.html
http://support.novell.com/security/cve/CVE-2014-0221.html
http://support.novell.com/security/cve/CVE-2014-0224.html
http://support.novell.com/security/cve/CVE-2014-3470.html
https://bugzilla.novell.com/880891


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

openSUSE Security Update: update to version 1.0.0m
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:0765-1
Rating: critical
References: #880891
Cross-References: CVE-2014-0195 CVE-2014-0221 CVE-2014-0224
CVE-2014-3470
Affected Products:
openSUSE 11.4
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

The openssl library was updated to version 1.0.0m fixing various security
issues and bugs:

Security issues fixed:
– CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully
crafted handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
– CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS
handshake to an OpenSSL DTLS client the code can be made to recurse
eventually crashing in a DoS attack.
– CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
overrun attack can be triggered by sending invalid DTLS fragments to an
OpenSSL DTLS client or server. This is potentially exploitable to run
arbitrary code on a vulnerable client or server.
– CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH
ciphersuites are subject to a denial of service attack.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE 11.4:

zypper in -t patch 2014-60

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE 11.4 (i586 x86_64):

libopenssl-devel-1.0.0m-18.53.1
libopenssl1_0_0-1.0.0m-18.53.1
libopenssl1_0_0-debuginfo-1.0.0m-18.53.1
openssl-1.0.0m-18.53.1
openssl-debuginfo-1.0.0m-18.53.1
openssl-debugsource-1.0.0m-18.53.1

– openSUSE 11.4 (x86_64):

libopenssl1_0_0-32bit-1.0.0m-18.53.1
libopenssl1_0_0-debuginfo-32bit-1.0.0m-18.53.1

– openSUSE 11.4 (noarch):

openssl-doc-1.0.0m-18.53.1

– openSUSE 11.4 (ia64):

libopenssl1_0_0-debuginfo-x86-1.0.0m-18.53.1
libopenssl1_0_0-x86-1.0.0m-18.53.1

References:

http://support.novell.com/security/cve/CVE-2014-0195.html
http://support.novell.com/security/cve/CVE-2014-0221.html
http://support.novell.com/security/cve/CVE-2014-0224.html
http://support.novell.com/security/cve/CVE-2014-3470.html
https://bugzilla.novell.com/880891


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

ncert
Top
More in Preporuke
Ranjivosti programskog paketa gnutls

Izdana je nadogradnja za otklanjanje dvije ranjivosti kod programskog paketa gnutls za openSUSE. Prva ranjivost posljedica je dereferenciranja NULL pokazivača...

Close