7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
0.974 High
EPSS
Percentile
99.9%
Debian Security Advisory DSA-3287-1 [email protected]
https://www.debian.org/security/ Alessandro Ghedini
June 13, 2015 https://www.debian.org/security/faq
Package : openssl
CVE ID : CVE-2014-8176 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790
CVE-2015-1791 CVE-2015-1792 CVE-2015-4000
Multiple vulnerabilities were discovered in OpenSSL, a Secure Sockets
Layer toolkit.
CVE-2014-8176
Praveen Kariyanahalli, Ivan Fratric and Felix Groebert discovered
that an invalid memory free could be triggered when buffering DTLS
data. This could allow remote attackers to cause a denial of service
(crash) or potentially execute arbitrary code. This issue only
affected the oldstable distribution (wheezy).
CVE-2015-1788
Joseph Barr-Pixton discovered that an infinite loop could be triggered
due to incorrect handling of malformed ECParameters structures. This
could allow remote attackers to cause a denial of service.
CVE-2015-1789
Robert Swiecki and Hanno Böck discovered that the X509_cmp_time
function could read a few bytes out of bounds. This could allow remote
attackers to cause a denial of service (crash) via crafted
certificates and CRLs.
CVE-2015-1790
Michal Zalewski discovered that the PKCS#7 parsing code did not
properly handle missing content which could lead to a NULL pointer
dereference. This could allow remote attackers to cause a denial of
service (crash) via crafted ASN.1-encoded PKCS#7 blobs.
CVE-2015-1791
Emilia Käsper discovered that a race condition could occur due to
incorrect handling of NewSessionTicket in a multi-threaded client,
leading to a double free. This could allow remote attackers to cause
a denial of service (crash).
CVE-2015-1792
Johannes Bauer discovered that the CMS code could enter an infinite
loop when verifying a signedData message, if presented with an
unknown hash function OID. This could allow remote attackers to cause
a denial of service.
Additionally OpenSSL will now reject handshakes using DH parameters
shorter than 768 bits as a countermeasure against the Logjam attack
(CVE-2015-4000).
For the oldstable distribution (wheezy), these problems have been fixed
in version 1.0.1e-2+deb7u17.
For the stable distribution (jessie), these problems have been fixed in
version 1.0.1k-3+deb8u1.
For the testing distribution (stretch), these problems have been fixed
in version 1.0.2b-1.
For the unstable distribution (sid), these problems have been fixed in
version 1.0.2b-1.
We recommend that you upgrade your openssl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 8 | kfreebsd-i386 | libssl1.0.0 | < 1.0.1k-3+deb8u1 | libssl1.0.0_1.0.1k-3+deb8u1_kfreebsd-i386.deb |
Debian | 7 | mipsel | openssl | < 1.0.1e-2+deb7u17 | openssl_1.0.1e-2+deb7u17_mipsel.deb |
Debian | 8 | kfreebsd-amd64 | libssl1.0.0-dbg | < 1.0.1k-3+deb8u1 | libssl1.0.0-dbg_1.0.1k-3+deb8u1_kfreebsd-amd64.deb |
Debian | 7 | mipsel | libssl1.0.0 | < 1.0.1e-2+deb7u17 | libssl1.0.0_1.0.1e-2+deb7u17_mipsel.deb |
Debian | 6 | amd64 | libssl-dev | < 0.9.8o-4squeeze21 | libssl-dev_0.9.8o-4squeeze21_amd64.deb |
Debian | 6 | all | openssl | < 0.9.8o-4squeeze21 | openssl_0.9.8o-4squeeze21_all.deb |
Debian | 7 | armel | libssl1.0.0 | < 1.0.1e-2+deb7u17 | libssl1.0.0_1.0.1e-2+deb7u17_armel.deb |
Debian | 6 | amd64 | libssl0.9.8-dbg | < 0.9.8o-4squeeze21 | libssl0.9.8-dbg_0.9.8o-4squeeze21_amd64.deb |
Debian | 7 | mips | openssl | < 1.0.1e-2+deb7u17 | openssl_1.0.1e-2+deb7u17_mips.deb |
Debian | 7 | s390x | openssl | < 1.0.1e-2+deb7u17 | openssl_1.0.1e-2+deb7u17_s390x.deb |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
0.974 High
EPSS
Percentile
99.9%