Summary
Multiple vulnerabilities have been identified in OpenSSL, a Secure Sockets Layer toolkit, that may result in denial of service (application crash, large memory consumption), information leak, protocol downgrade. Additionally, a buffer overrun affecting only applications explicitly set up for SRP has been fixed (CVE-2014-3512 ).
Detailed descriptions of the vulnerabilities can be found at:
www.openssl.org/news/secadv_20140806.txt
It's important that you upgrade the libssl1.0.0 package and not just the openssl package.
All applications linked to openssl need to be restarted. You can use the checkrestart
tool from the debian-goodies package to detect
affected programs. Alternatively, you may reboot your system.
Solution
For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u12.
For the testing distribution (jessie), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in version 1.0.1i-1.
We recommend that you upgrade your openssl packages.
Insight
This package contains the openssl binary and related tools.
Affected
openssl on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities