Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-81-1:C60A9
HistoryNov 01, 2014 - 3:49 p.m.

[SECURITY] [DLA 81-1] openssl security update

2014-11-0115:49:46
lists.debian.org
31

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

3.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

AI Score

5.3

Confidence

Low

EPSS

0.975

Percentile

100.0%

JSON

Package : openssl
Version : 0.9.8o-4squeeze18
CVE ID : CVE-2014-3567 CVE-2014-3568 CVE-2014-3569

Several vulnerabilities have been found in OpenSSL.

CVE-2014-3566 ("POODLE")

A flaw was found in the way SSL 3.0 handled padding bytes when
decrypting messages encrypted using block ciphers in cipher block
chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM)
attacker to decrypt a selected byte of a cipher text in as few as 256
tries if they are able to force a victim application to repeatedly
send the same data over newly created SSL 3.0 connections.  

This update adds support for Fallback SCSV to mitigate this issue.
This does not fix the issue.  The proper way to fix this is to
disable SSL 3.0.

CVE-2014-3567

A memory leak flaw was found in the way an OpenSSL handled failed
session ticket integrity checks. A remote attacker could exhaust all
available memory of an SSL/TLS or DTLS server by sending a large number
of invalid session tickets to that server.

CVE-2014-3568

When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.

Note that the package is Debian is not build with this option.

CVE-2014-3569

When openssl is build with the no-ssl3 option and a SSL v3 Client
Hello is received the ssl method would be set to NULL which could
later result in a NULL pointer dereference.

Note that the package is Debian is not build with this option.

Attachment:
signature.asc
Description: Digital signature

OSVersionArchitecturePackageVersionFilename
Debian6i386lighttpd-mod-magnet< 1.4.28-2+squeeze1.7lighttpd-mod-magnet_1.4.28-2+squeeze1.7_i386.deb
Debian7ia64libssl1.0.0-dbg< 1.0.1e-2+deb7u13libssl1.0.0-dbg_1.0.1e-2+deb7u13_ia64.deb
Debian7s390lighttpd< 1.4.31-4+deb7u4lighttpd_1.4.31-4+deb7u4_s390.deb
Debian7allopenjdk-7-source< 7u75-2.5.4-1~deb7u1openjdk-7-source_7u75-2.5.4-1~deb7u1_all.deb
Debian7amd64icedtea-7-jre-jamvm< 7u75-2.5.4-1~deb7u1icedtea-7-jre-jamvm_7u75-2.5.4-1~deb7u1_amd64.deb
Debian7armhflibssl-dev< 1.0.1e-2+deb7u14libssl-dev_1.0.1e-2+deb7u14_armhf.deb
Debian7powerpcopenjdk-6-jre< 6b34-1.13.6-1~deb7u1openjdk-6-jre_6b34-1.13.6-1~deb7u1_powerpc.deb
Debian7powerpcopenjdk-7-jre-headless< 7u75-2.5.4-1~deb7u1openjdk-7-jre-headless_7u75-2.5.4-1~deb7u1_powerpc.deb
Debian7i386icedtea-6-jre-jamvm< 6b34-1.13.6-1~deb7u1icedtea-6-jre-jamvm_6b34-1.13.6-1~deb7u1_i386.deb
Debian7kfreebsd-i386libssl1.0.0< 1.0.1e-2+deb7u13libssl1.0.0_1.0.1e-2+deb7u13_kfreebsd-i386.deb
Rows per page:
1-10 of 4321

Related

openvas 28
osv 3
nessus 40
suse 7
ibm 59
securityvulns 2
freebsd_advisory 1
freebsd 1
slackware 1
archlinux 1
kaspersky 2
debian 1
prion 3
cvelist 4
veracode 4
f5 7
ubuntucve 3
nvd 3
debiancve 3
cve 3
centos 1
mageia 1
amazon 2
redhat 3
aix 1
vmware 2
checkpoint_advisories 2
openssl 3
hackerone 1
fedora 5
seebug 1
cert 1
openvas
openvas
Debian: Security Advisory (DLA-81-1)
2023-03-08 00:00:00
SUSE: Security Advisory (SUSE-SU-2014:1361-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2014:1387-1)
2021-06-09 00:00:00
osv
osv
openssl - security update
2014-11-01 00:00:00
openssl - security update
2014-10-16 00:00:00
lighttpd - security update
2015-07-25 00:00:00
nessus
nessus
Debian DLA-81-1 : openssl security update
2015-03-26 00:00:00
SUSE SLES10 Security Update : OpenSSL (SUSE-SU-2014:1387-1) (POODLE)
2015-05-20 00:00:00
SUSE SLED12 / SLES12 Security Update : compat-openssl098 (SUSE-SU-2014:1512-1) (POODLE)
2015-05-20 00:00:00
suse
suse
Security update for OpenSSL (important)
2014-11-11 01:04:46
Security update for OpenSSL (important)
2014-11-13 01:04:46
Security update for OpenSSL (important)
2014-11-05 23:04:47
ibm
ibm
Security Bulletin: Multiple Vulnerabilities in Current Release of IBM® SDK for Node.js™
2018-08-09 04:20:36
Security Bulletin: Vulnerabilities in SSLv3 affect IBM Flex System Manager (FSM) SMIA Configuration Tool (CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568)
2019-01-31 01:55:01
Security Bulletin: Vulnerabilities in SSLv3 and in OpenSSL affect Enterprise Scanner (CVE-2014-3566, CVE-2014-3513, CVE-2014-3567, and CVE-2014-3568)
2018-06-16 21:20:42
securityvulns
securityvulns
[slackware-security] openssl &#40;SSA:2014-288-01&#41;
2014-10-17 00:00:00
OpenSSL multiple security vulnerabilities
2014-12-09 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-14:23.openssl
2014-10-21 00:00:00
freebsd
freebsd
OpenSSL -- multiple vulnerabilities
2014-10-15 00:00:00
slackware
slackware
[slackware-security] openssl
2014-10-15 17:58:22
archlinux
archlinux
openssl: denial of service / man-in-the-middle / poodle mitigation
2014-10-16 00:00:00
kaspersky
kaspersky
KLA10359 Vulnerability in Tableau
2014-07-18 00:00:00
KLA10452 Multiple vulnerabilities in VMware products
2015-01-27 00:00:00
debian
debian
[SECURITY] [DSA 3053-1] openssl security update
2014-10-16 15:48:24
prion
prion
Null pointer dereference
2014-12-24 11:59:00
Design/Logic Flaw
2014-10-19 01:55:00
Memory corruption
2014-10-19 01:55:00
cvelist
cvelist
CVE-2014-3569
2014-12-24 11:00:00
CVE-2014-3568
2014-10-19 01:00:00
CVE-2014-3567
2014-10-19 01:00:00
veracode
veracode
Denial Of Service (DoS) Through Null Pointer Dereference
2017-02-06 08:21:22
Access Restriction Bypass
2017-02-06 08:45:07
Denial Of Service (DoS) Through Memory Consumption
2017-02-06 08:56:15
f5
f5
K16013 : OpenSSL vulnerability CVE-2014-3569
2015-01-29 00:00:00
SOL16013 - OpenSSL vulnerability CVE-2014-3569
2015-01-28 00:00:00
SOL15724 - OpenSSL vulnerability CVE-2014-3568
2014-10-23 00:00:00
ubuntucve
ubuntucve
CVE-2014-3569
2014-12-24 00:00:00
CVE-2014-3568
2014-10-19 00:00:00
CVE-2014-3567
2014-10-15 00:00:00
nvd
nvd
CVE-2014-3569
2014-12-24 11:59:00
CVE-2014-3568
2014-10-19 01:55:13
CVE-2014-3567
2014-10-19 01:55:13
debiancve
debiancve
CVE-2014-3569
2014-12-24 11:59:00
CVE-2014-3568
2014-10-19 01:55:13
CVE-2014-3567
2014-10-19 01:55:13
cve
cve
CVE-2014-3569
2014-12-24 11:59:00
CVE-2014-3568
2014-10-19 01:55:13
CVE-2014-3567
2014-10-19 01:55:13
centos
centos
openssl security update
2014-10-16 16:22:42
mageia
mageia
Updated openssl packages fix security vulnerabilities
2014-10-23 17:27:57
amazon
amazon
Important: openssl
2014-10-15 16:14:00
Important: openssl
2014-10-14 22:32:00
redhat
redhat
(RHSA-2014:1692) Important: openssl security update
2014-10-22 00:00:00
(RHSA-2014:1652) Important: openssl security update
2014-10-16 00:00:00
(RHSA-2015:1546) Important: node.js security update
2015-08-04 00:00:00
aix
aix
AIX OpenSSL Denial of Service due to memory leak in DTLS / AIX OpenSSL Patch to mitigate CVE-2014-3566 / AIX OpenSSL Denial of Service due to memory consumption
2014-10-29 04:58:52
vmware
vmware
VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
2015-01-27 00:00:00
VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
2015-01-27 00:00:00
checkpoint_advisories
checkpoint_advisories
OpenSSL ssl23_get_client_hello Function Denial of Service (CVE-2014-3569)
2015-01-12 00:00:00
OpenSSL Invalid Session Ticket Denial of Service (CVE-2014-3567)
2014-11-03 00:00:00
openssl
openssl
Vulnerability in OpenSSL - no-ssl3 configuration sets method to NULL
2014-10-21 00:00:00
Vulnerability in OpenSSL - Build option no-ssl3 is incomplete
2014-10-15 00:00:00
Vulnerability in OpenSSL - Session Ticket Memory Leak
2014-10-15 00:00:00
hackerone
hackerone
New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2017-03-26 19:08:23
fedora
fedora
[SECURITY] Fedora 20 Update: claws-mail-plugins-3.11.1-1.fc20
2014-11-10 06:30:28
[SECURITY] Fedora 21 Update: python-rhsm-1.13.6-1.fc21
2014-11-10 06:34:40
[SECURITY] Fedora 21 Update: libuv-0.10.29-1.fc21
2014-12-15 04:31:42
seebug
seebug
SSL 3.0 POODLE(CVE-2014-3566)
2017-02-17 00:00:00
cert
cert
POODLE vulnerability in SSL 3.0
2014-10-17 00:00:00

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

3.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

AI Score

5.3

Confidence

Low

EPSS

0.975

Percentile

100.0%

JSON
Related for DEBIAN:DLA-81-1:C60A9
openvas28osv3nessus40suse7ibm59securityvulns2freebsd_advisory1freebsd1slackware1archlinux1kaspersky2debian1prion3cvelist4veracode4f57ubuntucve3nvd3debiancve3cve3centos1mageia1amazon2redhat3aix1vmware2checkpoint_advisories2openssl3hackerone1fedora5seebug1cert1