[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97147

 
 

909

 
 

78764

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

DSA-3053-1 openssl -- openssl

ID: oval:org.secpod.oval:def:601802Date: (C)2014-10-27   (M)2017-11-18
Class: PATCHFamily: unix




Several vulnerabilities have been found in OpenSSL, the Secure Sockets Layer library and toolkit. CVE-2014-3513 A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server. CVE-2014-3566 A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining mode. This flaw allows a man-in-the-middle attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. This update adds support for Fallback SCSV to mitigate this issue. CVE-2014-3567 A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server. CVE-2014-3568 When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them.

Platform:
Debian 7.0
Product:
openssl
Reference:
DSA-3053-1
CVE-2014-3513
CVE-2014-3566
CVE-2014-3567
CVE-2014-3568
CVE    4
CVE-2014-3567
CVE-2014-3568
CVE-2014-3513
CVE-2014-3566
...
CPE    36
cpe:/o:debian:debian_linux:7.x
cpe:/a:openssl:openssl:1.0.0h
cpe:/a:openssl:openssl:1.0.0j
cpe:/a:openssl:openssl:1.0.0i
...

© 2013 SecPod Technologies