openSUSE Security Update: openssl: fixed elliptic curve handshake failure
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1474-1
Rating: low
References: #905037
Affected Products:
openSUSE 13.2
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This openssl update fixes a TLS handshake problem when elliptic curves are
in use.
openSUSE Security Update: update for openssl
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1331-1
Rating: important
References: #901223#901277
Cross-References: CVE-2014-3513 CVE-2014-3566 CVE-2014-3567
CVE-2014-3568
Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
The following issues were fixed in this release:
CVE-2014-3566: SSLv3 POODLE attack (bnc#901223) CVE-2014-3513,
CVE-2014-3567: DTLS memory leak and session ticket memory leak
openSUSE Security Update: openssl: update to version 1.0.1h
Description:
The openssl library was updated to version 1.0.1h fixing various security
issues and bugs:
Security issues fixed:
- CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully
crafted handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
- CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS
handshake to an OpenSSL DTLS client the code can be made to recurse
eventually crashing in a DoS attack.
- CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
overrun attack can be triggered by sending invalid DTLS fragments to an
OpenSSL DTLS client or server. This is potentially exploitable to run
arbitrary code on a vulnerable client or server.
- CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH
ciphersuites are subject to a denial of service attack.
Bump PKGREVISION.
OpenSSL: Fixed a use-after-free race condition in OpenSSL's read buffer.
Description:
A use-after-free race condition in OpenSSL's read buffer
was fixed that could cause connections to drop
(CVE-2010-5298).
Bump PKGREVISION.
update for openssl
This is an openssl version update to 1.0.1g.
- The main reason for this upgrade was to be clear about
the TLS heartbeat problem know as "Heartbleed"
(CVE-2014-0160). That problem was already fixed in our
previous openssl update.
Bump PKGREVISION.
