[gentoo-announce] [ GLSA 201407-05 ] OpenSSL: Multiple vulnerabilities - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201407-05 ] OpenSSL: Multiple vulnerabilities
Date:	Sun, 27 Jul 2014 22:47:21
Message-Id:	`53D5809F.7010708@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201407-05

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: OpenSSL: Multiple vulnerabilities

9

     Date: July 27, 2014

10

     Bugs: #512506

11

       ID: 201407-05

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in OpenSSL, possibly allowing

19

remote attackers to execute arbitrary code.

20

21

Background

22

==========

23

24

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer

25

(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general

26

purpose cryptography library.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-libs/openssl           < 1.0.1h-r1             *>= 0.9.8z_p5

35

                                                        *>= 0.9.8z_p4

36

                                                        *>= 0.9.8z_p1

37

                                                        *>= 0.9.8z_p3

38

                                                        *>= 0.9.8z_p2

39

                                                           *>= 1.0.0m

40

                                                         >= 1.0.1h-r1

41

42

Description

43

===========

44

45

Multiple vulnerabilities have been discovered in OpenSSL. Please review

46

the OpenSSL Security Advisory [05 Jun 2014] and the CVE identifiers

47

referenced below for details.

48

49

Impact

50

======

51

52

A remote attacker could send specially crafted DTLS fragments to an

53

OpenSSL DTLS client or server to possibly execute arbitrary code with

54

the privileges of the process using OpenSSL.

55

56

Furthermore, an attacker could force the use of weak keying material in

57

OpenSSL SSL/TLS clients and servers, inject data across sessions, or

58

cause a Denial of Service via various vectors.

59

60

Workaround

61

==========

62

63

There is no known workaround at this time.

64

65

Resolution

66

==========

67

68

All OpenSSL users should upgrade to the latest version:

69

70

  # emerge --sync

71

  # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1h-r1"

72

73

References

74

==========

75

76

[ 1 ] CVE-2010-5298

77

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5298

78

[ 2 ] CVE-2014-0195

79

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0195

80

[ 3 ] CVE-2014-0198

81

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0198

82

[ 4 ] CVE-2014-0221

83

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0221

84

[ 5 ] CVE-2014-0224

85

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0224

86

[ 6 ] CVE-2014-3470

87

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3470

88

[ 7 ] OpenSSL Security Advisory [05 Jun 2014]

89

      http://www.openssl.org/news/secadv_20140605.txt

90

91

Availability

92

============

93

94

This GLSA and any updates to it are available for viewing at

95

the Gentoo Security Website:

96

97

 http://security.gentoo.org/glsa/glsa-201407-05.xml

98

99

Concerns?

100

=========

101

102

Security is a primary focus of Gentoo Linux and ensuring the

103

confidentiality and security of our users' machines is of utmost

104

importance to us. Any security concerns should be addressed to

105

security@g.o or alternatively, you may file a bug at

106

https://bugs.gentoo.org.

107

108

License

109

=======

110

111

Copyright 2014 Gentoo Foundation, Inc; referenced text

112

belongs to its owner(s).

113

114

The contents of this document are licensed under the

115

Creative Commons - Attribution / Share Alike license.

116

117

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201407-05
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: OpenSSL: Multiple vulnerabilities
9	Date: July 27, 2014
10	Bugs: #512506
11	ID: 201407-05
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in OpenSSL, possibly allowing
19	remote attackers to execute arbitrary code.
20
21	Background
22	==========
23
24	OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
25	(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
26	purpose cryptography library.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-libs/openssl < 1.0.1h-r1 *>= 0.9.8z_p5
35	*>= 0.9.8z_p4
36	*>= 0.9.8z_p1
37	*>= 0.9.8z_p3
38	*>= 0.9.8z_p2
39	*>= 1.0.0m
40	>= 1.0.1h-r1
41
42	Description
43	===========
44
45	Multiple vulnerabilities have been discovered in OpenSSL. Please review
46	the OpenSSL Security Advisory [05 Jun 2014] and the CVE identifiers
47	referenced below for details.
48
49	Impact
50	======
51
52	A remote attacker could send specially crafted DTLS fragments to an
53	OpenSSL DTLS client or server to possibly execute arbitrary code with
54	the privileges of the process using OpenSSL.
55
56	Furthermore, an attacker could force the use of weak keying material in
57	OpenSSL SSL/TLS clients and servers, inject data across sessions, or
58	cause a Denial of Service via various vectors.
59
60	Workaround
61	==========
62
63	There is no known workaround at this time.
64
65	Resolution
66	==========
67
68	All OpenSSL users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1h-r1"
72
73	References
74	==========
75
76	[ 1 ] CVE-2010-5298
77	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5298
78	[ 2 ] CVE-2014-0195
79	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0195
80	[ 3 ] CVE-2014-0198
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0198
82	[ 4 ] CVE-2014-0221
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0221
84	[ 5 ] CVE-2014-0224
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0224
86	[ 6 ] CVE-2014-3470
87	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3470
88	[ 7 ] OpenSSL Security Advisory [05 Jun 2014]
89	http://www.openssl.org/news/secadv_20140605.txt
90
91	Availability
92	============
93
94	This GLSA and any updates to it are available for viewing at
95	the Gentoo Security Website:
96
97	http://security.gentoo.org/glsa/glsa-201407-05.xml
98
99	Concerns?
100	=========
101
102	Security is a primary focus of Gentoo Linux and ensuring the
103	confidentiality and security of our users' machines is of utmost
104	importance to us. Any security concerns should be addressed to
105	security@g.o or alternatively, you may file a bug at
106	https://bugs.gentoo.org.
107
108	License
109	=======
110
111	Copyright 2014 Gentoo Foundation, Inc; referenced text
112	belongs to its owner(s).
113
114	The contents of this document are licensed under the
115	Creative Commons - Attribution / Share Alike license.
116
117	http://creativecommons.org/licenses/by-sa/2.5