Updated openssl package fixes security vulnerabilities
Publication date: 17 Jan 2014Modification date: 17 Jan 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-4353 , CVE-2013-6450
Description
Updated openssl packages fix security vulnerabilities: The DTLS retransmission implementation in OpenSSL through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery (CVE-2013-6450). A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious server could use this flaw to crash a connecting client (CVE-2013-4353).
References
- https://bugs.mageia.org/show_bug.cgi?id=12183
- http://www.openssl.org/news/vulnerabilities.html
- http://www.debian.org/security/2014/dsa-2833
- http://www.debian.org/security/2014/dsa-2837
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450
SRPMS
3/core
- openssl-1.0.1e-1.3.mga3