openSUSE Security Update : openssl (openSUSE-SU-2014:0764-1)
High Nessus Plugin ID 75383
SynopsisThe remote openSUSE host is missing a security update.
DescriptionThe openssl library was updated to version 1.0.1h fixing various security issues and bugs :
Security issues fixed :
- CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers.
- CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack.
- CVE-2014-0195: Fix DTLS invalid fragment vulnerability.
A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.
- CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack.
SolutionUpdate the affected openssl packages.