Solution
Please Install the Updated Packages.
Insight
The openssl library was updated to version 1.0.1h fixing various security issues and bugs:
Security issues fixed:
- CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers.
- CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack.
- CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.
- CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack.
Affected
openssl on openSUSE 13.1, openSUSE 12.3
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities