unsubscribe 2014-10-16 17:48 GMT+02:00 Thijs Kinkhorst <th...@debian.org>:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3053-1 secur...@debian.org > http://www.debian.org/security/ Thijs Kinkhorst > October 16, 2014 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : openssl > CVE ID : CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 > > Several vulnerabilities have been found in OpenSSL, the Secure Sockets > Layer library and toolkit. > > CVE-2014-3513 > > A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure > Real-time Transport Protocol (SRTP) extension data. A remote attacker > could send multiple specially crafted handshake messages to exhaust > all available memory of an SSL/TLS or DTLS server. > > CVE-2014-3566 ("POODLE") > > A flaw was found in the way SSL 3.0 handled padding bytes when > decrypting messages encrypted using block ciphers in cipher block > chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) > attacker to decrypt a selected byte of a cipher text in as few as 256 > tries if they are able to force a victim application to repeatedly send > the same data over newly created SSL 3.0 connections. > > This update adds support for Fallback SCSV to mitigate this issue. > > CVE-2014-3567 > > A memory leak flaw was found in the way an OpenSSL handled failed > session ticket integrity checks. A remote attacker could exhaust all > available memory of an SSL/TLS or DTLS server by sending a large number > of invalid session tickets to that server. > > CVE-2014-3568 > > When OpenSSL is configured with "no-ssl3" as a build option, servers > could accept and complete a SSL 3.0 handshake, and clients could be > configured to send them. > > For the stable distribution (wheezy), these problems have been fixed in > version 1.0.1e-2+deb7u13. > > For the unstable distribution (sid), these problems have been fixed in > version 1.0.1j-1. > > We recommend that you upgrade your openssl packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUP+iVAAoJEFb2GnlAHawE2z0H/3QUAuRqp7+czEaG0m+xZ/At > 6y+seY2m6l7E1IBD3OFfDAycjLp4Lo5rrZx/nhpTQwEuttwgtEhVccoCOvrXidt8 > JCEJcPipfZv6gdLY0XJMh564h4CB/ETenPjbb90B0k3l5YYg7l45gLupbCXMpUGl > XQp2sVsA9qnL4yUaQGO8Sj79sq1MzSSzCl2OyWnjFQSfece9j4yIj2vvNgAMYpC2 > V5zl4b73Gy5T/tfPmlu8YKlSTjX7HNRHnx3MvkEc1MwpY73x9HgR+DQ1YRHbbZKn > /YqvWSRL7sCXmPwaa6Ne3sIpC356MTWovKQtPAYZVpILuURUx9JJ3usMbTWLPBM= > =xVTv > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: https://lists.debian.org/20141016154824.c84f259...@kinkhorst.com > >
