Advisories ยป MGASA-2014-0165

Updated openssl package fix two security vulnerabilities

Publication date: 08 Apr 2014
Modification date: 08 Apr 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0076 , CVE-2014-0160


Updated openssl packages fix security vulnerability:

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure
that certain swap operations have a constant-time behavior, which makes it
easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache
side-channel attack (CVE-2014-0076).

A missing bounds check in the handling of the TLS heartbeat extension in
OpenSSL through 1.0.1f can be used to reveal up to 64k of memory to a
connected client or server (CVE-2014-0160).