[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

MDVSA-2014:105 -- Mandriva openssl

ID: oval:org.secpod.oval:def:1300308Date: (C)2014-07-24   (M)2017-10-27
Class: PATCHFamily: unix




Multiple vulnerabilities has been discovered and corrected in openssl: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service via a DTLS hello message in an invalid DTLS handshake . OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the CCS Injection vulnerability . The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service by triggering a NULL certificate value . The updated packages have been patched to correct these issues.

Platform:
Mandriva Enterprise Server 5.2
Product:
openssl
Reference:
MDVSA-2014:105
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
CVE    3
CVE-2014-3470
CVE-2014-0221
CVE-2014-0224
CPE    68
cpe:/o:redhat:enterprise_linux:5
cpe:/o:redhat:enterprise_linux:6
cpe:/a:openssl:openssl:1.0.0h
cpe:/a:openssl:openssl:1.0.1:beta1
...

© 2013 SecPod Technologies