openssl-0.9.8e-27.AXS3.4

エラータID: AXSA:2014-495:03

Release date: 
Thursday, August 14, 2014 - 14:16
Subject: 
openssl-0.9.8e-27.AXS3.4
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
Moderate
Description: 

Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

Security issues fixed with this release:

CVE-2014-0221
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.

CVE-2014-3505
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

CVE-2014-3506
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

CVE-2014-3508
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

CVE-2014-3510
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

please see below CVE's links.

Solution: 

update package.

CVEs: 
CVE-2014-0221
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
CVE-2014-3505
Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.
CVE-2014-3506
d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.
CVE-2014-3508
The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.
CVE-2014-3510
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.
Additional Info: 

N/A

Download: 

SRPMS
  1. openssl-0.9.8e-27.AXS3.4.src.rpm
    MD5: c447f8c4690ab0feac43b5b9a007e9a0
    SHA-256: 82c1b5d4da4071b26f828bbbbcc65d1740c3863d84307f457a9a16456faad49c
    Size: 3.16 MB

Asianux Server 3 for x86
  1. openssl-0.9.8e-27.AXS3.4.i386.rpm
    MD5: 8993aaa89ea1aa0a8f0d148fe5fc621c
    SHA-256: 863bb3e1e3a810c9c1b26f3a5f0dc02645a50f1693dee0a783815d70f38117d3
    Size: 1.47 MB
  2. openssl-0.9.8e-27.AXS3.4.i686.rpm
    MD5: 7a23a7f8dabdd14f4d2afeba7dba23d4
    SHA-256: 150aad498784a9e239091e53d03e199408aac7cf9c18673ed9b923dac8aeee30
    Size: 1.45 MB
  3. openssl-devel-0.9.8e-27.AXS3.4.i386.rpm
    MD5: ba3dca3e8914fa2c8325c71769800e0c
    SHA-256: cebfdf5f16bc00602dd89c5550961d3f61fc7e128e9c118ff6ddcef54fee5b8e
    Size: 1.88 MB
  4. openssl-perl-0.9.8e-27.AXS3.4.i386.rpm
    MD5: b313958e9586c46d80a71b341ef8c4f4
    SHA-256: f193527b54f8ea471e334da3ec70518d050830b38c30586402517427c570dd2d
    Size: 37.40 kB

Asianux Server 3 for x86_64
  1. openssl-0.9.8e-27.AXS3.4.x86_64.rpm
    MD5: 8fe6233093cc9e4b6b35437a0ab5957a
    SHA-256: c7e2d036e43bfd607057416ae2de038194ea4edc39bcd101ddbc681321cf7e67
    Size: 1.46 MB
  2. openssl-devel-0.9.8e-27.AXS3.4.x86_64.rpm
    MD5: 8f0a2bc21d5e8d254af176c134e80857
    SHA-256: ea1f142870915f35f1a80ff1b99bb238d9eac6ba5b64c04006c0eba58e886fe7
    Size: 1.86 MB
  3. openssl-perl-0.9.8e-27.AXS3.4.x86_64.rpm
    MD5: 852cba48cbb84e5e43e49ec123edb940
    SHA-256: c45bf0d4d3dfdc08059847aa5a62cf9be6b5fd4d4f0385cb6f6a9626a6f2943c
    Size: 37.37 kB