[Mingw-w64-public] [WBSA] CVE-2014-0195/0198/0221/0224/3470/5298 openssl update (Win-builds security advisory)

Thu, 05 Jun 2014 14:01:31 -0700 

Again, high-profile security vulnerability in an SSL/TLS library.

Package        : openssl
CVE ID         : CVE-2014-0195 CVE-2014-0198 CVE-2014-0221 CVE-2014-0224
                 CVE-2014-3470 (CVE-2014-5298 under specific circumstances)

Multiple vulnerabilities have been discovered in OpenSSL:

CVE-2014-0195

    Jueri Aedla discovered that a buffer overflow in processing DTLS
    fragments could lead to the execution of arbitrary code or denial
    of service.

CVE-2014-0198
    It was discovered that incorrect memory handling in OpenSSL's
    do_ssl3_write() function could result in denial of service.

CVE-2014-0221

    Imre Rad discovered the processing of DTLS hello packets is
    susceptible to denial of service.

CVE-2014-0224

    KIKUCHI Masashi discovered that carefully crafted handshakes can
    force the use of weak keys, resulting in potential man-in-the-middle
    attacks.

CVE-2014-3470

    Felix Groebert and Ivan Fratric discovered that the implementation of
    anonymous ECDH ciphersuites is suspectible to denial of service.

CVE-2010-5298
    A race condition in the ssl3_read_bytes function can allow remote
    attackers to inject data across sessions or cause a denial of service.
    This flaw only affects multithreaded applications using OpenSSL 1.0.0
    and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
    default and not common.
    [ win-builds packages are not vulnerable; this CVE is mentionned for
      completeness' sake ]

Additional information can be found at
http://www.openssl.org/news/secadv_20140605.txt

For win-builds 1.4, this problem has been fixed in version 1.0.1h-1.

You should update your openssl package.

If you are unsure how to update packages, visit the "Package updates"
section of the documentation at
http://win-builds.org/documentation.html#package_updates

Mailing list: [email protected]

-- 
Adrien Nader
Free Software for windows with package manager: http://win-builds.org

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Mingw-w64-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Reply via email to