[Tails-dev] Fwd: openssl security update

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: tails-dev
Betreff: [Tails-dev] Fwd: openssl security update
Likely we want this into 1.0.1. Anyone up to add the LTS repo to APT
sources, with proper pinning? (I would suggest picking only selected
packages from there, since it's a free-for-all archive, so stuff may
not have seen the same amount of QA than regular Debian security or
stable updates.)

Package: openssl
Version: 0.9.8o-4squeeze15
CVE ID: CVE-2014-0076 CVE-2014-0195 CVE-2014-0221 CVE-2014-3470 CVE-2014-0224

CVE-2014-0195

    Jueri Aedla discovered that a buffer overflow in processing DTLS
    fragments could lead to the execution of arbitrary code or denial
    of service.


CVE-2014-0221

    Imre Rad discovered the processing of DTLS hello packets is
    susceptible to denial of service.


CVE-2014-0224

    KIKUCHI Masashi discovered that carefully crafted handshakes can
    force the use of weak keys, resulting in potential man-in-the-middle
    attacks.


CVE-2014-3470

    Felix Groebert and Ivan Fratric discovered that the implementation of
    anonymous ECDH ciphersuites is suspectible to denial of service.


CVE-2014-0076

     Fix for the attack described in the paper "Recovering
     OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
     Reported by Yuval Yarom and Naomi Benger.


Additional information can be found at
http://www.openssl.org/news/secadv_20140605.txt

All applications linked to openssl need to be restarted. You can
use the tool checkrestart from the package debian-goodies to
detect affected programs or reboot your system.

It's important that you upgrade the libssl0.9.8 package and not
just the openssl package.


--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc