drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in OpenSSL
Name: |
Mehrere Probleme in OpenSSL |
|
ID: |
DSA-3125-1 |
|
Distribution: |
Debian |
|
Plattformen: |
Debian sid, Debian wheezy |
|
Datum: |
So, 11. Januar 2015, 18:36 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206 |
|
Applikationen: |
OpenSSL |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
- ------------------------------------------------------------------------- Debian Security Advisory DSA-3125-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 11, 2015 http://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : openssl CVE ID : CVE-2014-3569 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206
Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:
CVE-2014-3569
Frank Schmirler reported that the ssl23_get_client_hello function in OpenSSL does not properly handle attempts to use unsupported protocols. When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is received, the ssl method would be set to NULL which could later result in a NULL pointer dereference and daemon crash.
CVE-2014-3570
Pieter Wuille of Blockstream reported that the bignum squaring (BN_sqr) may produce incorrect results on some platforms, which might make it easier for remote attackers to defeat cryptographic protection mechanisms.
CVE-2014-3571
Markus Stenberg of Cisco Systems, Inc. reported that a carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. A remote attacker could use this flaw to mount a denial of service attack.
CVE-2014-3572
Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL client would accept a handshake using an ephemeral ECDH ciphersuite if the server key exchange message is omitted. This allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy.
CVE-2014-8275
Antti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project and Konrad Kraszewski of Google reported various certificate fingerprint issues, which allow remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism.
CVE-2015-0204
Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL client will accept the use of an ephemeral RSA key in a non-export RSA key exchange ciphersuite, violating the TLS standard. This allows remote SSL servers to downgrade the security of the session.
CVE-2015-0205
Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This flaw effectively allows a client to authenticate without the use of a private key via crafted TLS handshake protocol traffic to a server that recognizes a certification authority with DH support.
CVE-2015-0206
Chris Mueller discovered a memory leak in the dtls1_buffer_record function. A remote attacker could exploit this flaw to mount a denial of service through memory exhaustion by repeatedly sending specially crafted DTLS records.
For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u14.
For the upcoming stable distribution (jessie), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in version 1.0.1k-1.
We recommend that you upgrade your openssl packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJUsljCAAoJEAVMuPMTQ89EGdAP/RVr1R8cqanOF+XmsvjVwz64 0TZwwWvUZknuuqy82leNRlcg4XWhHdR4WbFyO5unOFF/iTzDsxV1aYdDkxU76ufL ja1B7zQ3VJDSRf4lS5e2ycf9XcDzoHYnGhk9F8IYXXGVqFkmlbTQp2ZmI3AiFxEy Z5iXXkZkWS5DAoyGjt16axxekzZPmCK+iGGGrXXqysierzdgsdwgnS0ksrRjdKXP 9FuBTD6sGQAZAe7cTpGc3PElujHvBp8/TTWWLk7aWHx8Jsa93NrjSQ0TwAeyP6kD LwoydDLnRdORz5zfrcC/zyZWzBJtlOyNmzAo+pV52mYeNlXn6s+lLMFZbeaOW4bu E57N9u9bBcKCxrhOyg1s8G8hmd9unkv1f/G0N/Bwu6+i86BMYNH8mbJDICdkGCML 6jiitfyFwcU1BfcLu/iMVDGytMYYWz6O6nvOK3tz68y6C8aQoqubdnhXU71oVyua Rvf1KPKDuvRf7zbIg5xWXkjvS+CbMUppgGPxdYRyxETwlU0UxCo9dfVSyO35tS3R +RdFHp/8pWgtxkbMoO2WWrh6UwW3Chpyp7w1f3b2tPsrdSs8P9iRjIbIPWT+V0PV 5D8T6WPqiTu0Q5rhpMo2PHVUQSh96zLFnrdAhxapKMQeGBMdpAU24flboAUdDqKl QOmT1rysszfPJCd6WkUK =Ur11 -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: https://lists.debian.org/E1YAGKX-0005mw-6m@master.debian.org
|
|
|
|