Advisories » MGASA-2014-0165

Updated openssl package fix two security vulnerabilities

Publication date: 08 Apr 2014
Modification date: 08 Apr 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0076 , CVE-2014-0160

Description

Updated openssl packages fix security vulnerability:

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure
that certain swap operations have a constant-time behavior, which makes it
easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache
side-channel attack (CVE-2014-0076).

A missing bounds check in the handling of the TLS heartbeat extension in
OpenSSL through 1.0.1f can be used to reveal up to 64k of memory to a
connected client or server (CVE-2014-0160).
                

References

• http://www.openssl.org/news/secadv_20140407.txt
• http://lists.opensuse.org/opensuse-updates/2014-04/msg00007.html
• https://bugs.mageia.org/show_bug.cgi?id=13148
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

SRPMS

3/core

• openssl-1.0.1e-1.5.mga3

4/core

• openssl-1.0.1e-8.2.mga4