Debian Security Advisory
DLA-0003-1 openssl -- LTS security update
- Date Reported:
- 05 Jun 2014
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-0076, CVE-2014-0195, CVE-2014-0221, CVE-2014-3470, CVE-2014-0224.
- More information:
Jueri Aedla discovered that a buffer overflow in processing DTLS fragments could lead to the execution of arbitrary code or denial of service.
Imre Rad discovered the processing of DTLS hello packets is susceptible to denial of service.
KIKUCHI Masashi discovered that carefully crafted handshakes can force the use of weak keys, resulting in potential man-in-the-middle attacks.
Felix Groebert and Ivan Fratric discovered that the implementation of anonymous ECDH ciphersuites is suspectible to denial of service.
Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" Reported by Yuval Yarom and Naomi Benger.
Additional information can be found at http://www.openssl.org/news/secadv_20140605.txt
All applications linked to openssl need to be restarted. You can use the tool checkrestart from the package debian-goodies to detect affected programs or reboot your system.
It's important that you upgrade the libssl0.9.8 package and not just the openssl package.
For Debian 6
Squeeze, these issues have been fixed in openssl version 0.9.8o-4squeeze15