[Forgot Password]
Login  Register Subscribe

24003

 
 

131573

 
 

108530

 
 

909

 
 

85343

 
 

134

Paid content will be excluded from the download.


Download | Alert*
OVAL

MDVSA-2014:105 -- Mandriva openssl

ID: oval:org.secpod.oval:def:1300308Date: (C)2014-07-24   (M)2018-04-15
Class: PATCHFamily: unix




Multiple vulnerabilities has been discovered and corrected in openssl: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service via a DTLS hello message in an invalid DTLS handshake . OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the CCS Injection vulnerability . The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service by triggering a NULL certificate value . The updated packages have been patched to correct these issues.

Platform:
Mandriva Enterprise Server 5.2
Product:
openssl
Reference:
MDVSA-2014:105
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
CVE    3
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
CPE    57
cpe:/a:openssl:openssl:0.9.8m:beta1
cpe:/a:openssl:openssl:0.9.8y
cpe:/a:openssl:openssl:1.0.1:beta1
cpe:/a:openssl:openssl:1.0.1:beta3
...

© SecPod Technologies