Advisories » MGASA-2014-0012

Updated openssl package fixes security vulnerabilities

Publication date: 17 Jan 2014
Modification date: 17 Jan 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-4353 , CVE-2013-6450

Description

Updated openssl packages fix security vulnerabilities:

The DTLS retransmission implementation in OpenSSL through 1.0.1e does not
properly maintain data structures for digest and encryption contexts, which
might allow man-in-the-middle attackers to trigger the use of a different
context by interfering with packet delivery (CVE-2013-6450).

A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL
pointer exception. A malicious server could use this flaw to crash a
connecting client (CVE-2013-4353).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=12183
• http://www.openssl.org/news/vulnerabilities.html
• http://www.debian.org/security/2014/dsa-2833
• http://www.debian.org/security/2014/dsa-2837
• https://www.cve.org/CVERecord?id=CVE-2013-4353
• https://www.cve.org/CVERecord?id=CVE-2013-6450

SRPMS

3/core

• openssl-1.0.1e-1.3.mga3