FreeBSD Security Advisory - A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. The SSL protocol 3.0, as supported in OpenSSL and other products, supports CBC mode encryption where it could not adequately check the integrity of padding, because of the use of non-deterministic CBC padding. This protocol weakness makes it possible for an attacker to obtain clear text data through a padding-oracle attack. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE.
1338c6e5d97b6096c8316516c16ede168dd7ee9fb4220f57cfcb0077bbbdbdbeRed Hat Security Advisory 2014-1692-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer, Transport Layer Security, and Datagram Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. This update adds support for the TLS Fallback Signaling Cipher Suite Value, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails.
477e81c0daa2c159986f76e111440acbc133e23811a280839718932c86498c2cDebian Linux Security Advisory 3053-1 - Several vulnerabilities have been found in OpenSSL, the Secure Sockets Layer library and toolkit.
be5632a50e45f3cb615e3418c715bac89d088636f75a6a4d5e8803d38f0c311aUbuntu Security Notice 2385-1 - It was discovered that OpenSSL incorrectly handled memory when parsing DTLS SRTP extension data. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. It was discovered that OpenSSL incorrectly handled memory when verifying the integrity of a session ticket. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. Various other issues were also addressed.
3610dab117a43a7b9293af9e167e8bb4af5e8135c2525ce5ca35b38b19320408Red Hat Security Advisory 2014-1652-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer, Transport Layer Security, and Datagram Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. This update adds support for the TLS Fallback Signaling Cipher Suite Value, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails.
1ea510abd5c281438bbcbb59438daf1e162e8b1f81ee81f34c73370873c4fe7dSlackware Security Advisory - New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
0cadf5356b8ab0e92a415510de66dc400ae0d423de69ab42a4d1237f20e2785cOpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3OpenSSL Security Advisory 20141015 - A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. Other issues were also addressed.
7f813dab43819360edd0f61d0861444f45d4c41b0e985a636961e64207acbf57
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed