openssl-1.0.1e-16.AXS4.15
エラータID: AXSA:2014-494:04
リリース日:
2014/08/14 Thursday - 13:24
題名:
openssl-1.0.1e-16.AXS4.15
影響のあるチャネル:
Asianux Server 4 for x86
Asianux Server 4 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- 現時点では CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511 の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2014-3505
Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.
Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.
CVE-2014-3506
d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.
d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.
CVE-2014-3507
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.
CVE-2014-3508
The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.
The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.
CVE-2014-3509
Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
CVE-2014-3510
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.
CVE-2014-3511
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
追加情報:
N/A
ダウンロード:
SRPMS
- openssl-1.0.1e-16.AXS4.15.src.rpm
MD5: a736976c1a486f55467cabf2b4311542
SHA-256: 46fde036b60c684b1f97cb7e68a9aa05e983ecc290705cab708171f752507930
Size: 2.99 MB
Asianux Server 4 for x86
- openssl-1.0.1e-16.AXS4.15.i686.rpm
MD5: d2486b33981d17247afe9ac5d0bdbe42
SHA-256: bfa4a64445ddafc96f1f01684005e9e2c627c6e34cd5ce2908db5274a302570a
Size: 1.50 MB - openssl-devel-1.0.1e-16.AXS4.15.i686.rpm
MD5: fcaeca9c00eb14b84b4b8eca9d4f33d7
SHA-256: 905e686fe46d687c392283faeb4990e90de78918f804ace5b45cb6b907cf273e
Size: 1.16 MB
Asianux Server 4 for x86_64
- openssl-1.0.1e-16.AXS4.15.x86_64.rpm
MD5: 7bfcf2250bee799c7c57187174c6009c
SHA-256: 5bf5cbb0c1af9f9134cbe8bbb6cad8419413c21ef9090d74514cec3f6564d950
Size: 1.51 MB - openssl-devel-1.0.1e-16.AXS4.15.x86_64.rpm
MD5: 0773efea0d338cf58b0644a93b45590f
SHA-256: 8361daee3b80a7b60cca97aba7c7ec7cef8f0144e889d27c9bfdb1c9d4e0e376
Size: 1.16 MB - openssl-1.0.1e-16.AXS4.15.i686.rpm
MD5: d2486b33981d17247afe9ac5d0bdbe42
SHA-256: bfa4a64445ddafc96f1f01684005e9e2c627c6e34cd5ce2908db5274a302570a
Size: 1.50 MB - openssl-devel-1.0.1e-16.AXS4.15.i686.rpm
MD5: fcaeca9c00eb14b84b4b8eca9d4f33d7
SHA-256: 905e686fe46d687c392283faeb4990e90de78918f804ace5b45cb6b907cf273e
Size: 1.16 MB