[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

openssl security update

Package: openssl
Version: 0.9.8o-4squeeze15
CVE ID: CVE-2014-0076 CVE-2014-0195 CVE-2014-0221 CVE-2014-3470 CVE-2014-0224


    Jueri Aedla discovered that a buffer overflow in processing DTLS
    fragments could lead to the execution of arbitrary code or denial
    of service.


    Imre Rad discovered the processing of DTLS hello packets is
    susceptible to denial of service.


    KIKUCHI Masashi discovered that carefully crafted handshakes can
    force the use of weak keys, resulting in potential man-in-the-middle


    Felix Groebert and Ivan Fratric discovered that the implementation of
    anonymous ECDH ciphersuites is suspectible to denial of service.


     Fix for the attack described in the paper "Recovering
     OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
     Reported by Yuval Yarom and Naomi Benger.

Additional information can be found at

All applications linked to openssl need to be restarted. You can
use the tool checkrestart from the package debian-goodies to
detect affected programs or reboot your system.

It's important that you upgrade the libssl0.9.8 package and not
just the openssl package.

Attachment: signature.asc
Description: Digital signature

Reply to: