[Forgot Password]
Login  Register Subscribe

24002

 
 

127027

 
 

102010

 
 

909

 
 

81374

 
 

133

Paid content will be excluded from the download.


Download | Alert*
OVAL

MDVSA-2014:105 -- Mandriva openssl

ID: oval:org.secpod.oval:def:1300308Date: (C)2014-07-24   (M)2017-10-27
Class: PATCHFamily: unix




Multiple vulnerabilities has been discovered and corrected in openssl: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service via a DTLS hello message in an invalid DTLS handshake . OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the CCS Injection vulnerability . The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service by triggering a NULL certificate value . The updated packages have been patched to correct these issues.

Platform:
Mandriva Enterprise Server 5.2
Product:
openssl
Reference:
MDVSA-2014:105
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
CVE    3
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
CPE    68
cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3
cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0
cpe:/a:redhat:jboss_enterprise_web_server:2.0.1
cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0
...

© 2013 SecPod Technologies