CVE-2015-0204
published 2015-01-09CVE-2015-0204: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct…
PriorityP343medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
98.69%
99.9th percentile
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
Affected
188 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | iphone_os | <= 8.1.3 | — |
| apple | mac_os_x | <= 10.10.2 | — |
| apple | os_x_yosemite_v10.10.3_and_security_update_2015-004 | — | — |
| apple | tvos | <= 7.0.3 | — |
| cisco | products | — | — |
| debian | mono | < mono 3.2.8+dfsg-10 (bookworm) | mono 3.2.8+dfsg-10 (bookworm) |
| debian | openssl | < openssl 1.0.1k-1 (bookworm) | openssl 1.0.1k-1 (bookworm) |
| dell | bsafe | >= 4.0.0 < 4.0.8 | 4.0.8 |
| dell | bsafe | >= 4.1.0 < 4.1.3 | 4.1.3 |
| dell | bsafe_ssl-c | <= 2.8.9 | — |
| ibm | tivoli_directory_server | <= 6.0.0.73 | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
| ibm | tivoli_directory_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Scan for servers offering RSA_EXPORT / EXPORT_RSA cipher suites; presence indicates a client connecting to such a server is at risk of FREAK downgrade attack. ↗
- →Use Nessus plugin 81606 to detect SSL/TLS RSA-EXPORT <= 512-bit cipher suites supported (FREAK). ↗
- →Use Nessus plugin 26928 to detect weak cipher suites supported on a target. ↗
- →Detect vulnerable OpenSSL clients by checking the OpenSSL banner in web server response headers (note: banners are often suppressed). ↗
- →Monitor for TLS handshakes where a server offers a weak ephemeral RSA key (512-bit) in a non-export cipher suite context, indicating a FREAK downgrade attempt. ↗
- →The vulnerable code path is in ssl3_get_key_exchange() in s3_clnt.c; look for OpenSSL client builds where ephemeral RSA keys are accepted outside of export cipher suites. ↗
- ·CVE-2015-0204 scope is strictly OpenSSL client code; servers offering EXPORT_RSA ciphers are a prerequisite for exploitation but are not themselves vulnerable under this CVE. ↗
- ·Unauthenticated scanner checks (e.g., QID 42442) detect server-side exposure (EXPORT_RSA cipher availability); authenticated checks are needed to confirm client-side vulnerability. ↗
- ·A fix for FREAK in OpenSSL is available as of OpenSSL v1.0.2; fixed Debian packages are openssl 1.0.1k-1. ↗
- ·openssl097a (RHEL5) and openssl098e (RHEL6/7) will not be patched by Red Hat; only the main openssl package in affected products receives fixes. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_cisco5.0MEDIUM
vendor_ubuntu5.0MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-15:06.openssl: Multiple OpenSSL vulnerabilities
bsd_advisories·2015-03-19·CVSS 6.8
CVE-2015-0204 [MEDIUM] FreeBSD-SA-15:06.openssl: Multiple OpenSSL vulnerabilities
FreeBSD-SA-15:06.openssl Security Advisory
The FreeBSD Project
Topic: Multiple OpenSSL vulnerabilities
Category: contrib
Module: openssl
Announced: 2015-03-19; Last revised on 2015-03-20.
Affects: All supported versions of FreeBSD.
Corrected: 2015-03-20 07:11:20 UTC (stable/10, 10.1-STABLE)
2015-03-20 07:12:02 UTC (releng/10.1, 10.1-RELEASE-p8)
2015-03-20 07:11:20 UTC (stable/9, 9.3-STABLE)
2015-03-20 07:12:02 UTC (releng/9.3, 9.3-RELEASE-p12)
2015-03-20 07:11:20 UTC (stable/8, 8.4-STABLE)
2015-03-20 07:12:02 UTC (releng/8.4, 8.4-RELEASE-p26)
CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288,
CVE-2015-0289, CVE-2015-0293
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following secti
Red Hat
JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)
vendor_redhat·2015-03-11·CVSS 4.3
CVE-2015-0138 [MEDIUM] CWE-327 JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)
JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)
GSKit in IBM Tivoli Directory Server (ITDS) 6.0 before 6.0.0.73-ISS-ITDS-IF0073, 6.1 before 6.1.0.66-ISS-ITDS-IF0066, 6.2 before 6.2.0.42-ISS-ITDS-IF0042, and 6.3 before 6.3.0.35-ISS-ITDS-IF0035 and IBM Security Directory Server (ISDS) 6.3.1 before 6.3.1.9-ISS-ISDS-IF0009 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco·2015-03-10·CVSS 5.0
CVE-2014-3569 [MEDIUM] CWE-20 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:
CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability
CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability
CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability
CVE-2014-3572: OpenSSL Elliptic Curve Crypt
BSD
FreeBSD-SA-15:01.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2015-01-14·CVSS 5.0
CVE-2014-3569 [MEDIUM] FreeBSD-SA-15:01.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-15:01.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2015-01-14
Affects: All supported versions of FreeBSD.
Corrected: 2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE)
2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4)
2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16)
2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8)
2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22)
CVE Name: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572
CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
For general information regarding FreeBSD Security Advisories,
including descriptions of the f
Cisco
OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
vendor_cisco·2015-01-13·CVSS 4.3
CVE-2015-0204 [MEDIUM] CWE-310 OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass security restrictions.
The vulnerability is due to improper handling of an RSA temporary key. An attacker with a privileged network position could exploit the vulnerability by returning a weak temporary RSA key to a system using an application that uses the vulnerable OpenSSL library. When processed, the insecure temporary key could result in reduced cryptographic protections, which could allow the attacker to bypass security protections.
OpenSSL has confirmed the vulnerability and released software updates.
To exploit the vulnerability, the attacker likely requires privileged network access to trusted or internal networks to return tempo
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2015-01-12·CVSS 5.0
CVE-2014-3570 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
Pieter Wuille discovered that OpenSSL incorrectly handled Bignum squaring.
(CVE-2014-3570)
Markus Stenberg discovered that OpenSSL incorrectly handled certain crafted
DTLS messages. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2014-3571)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
handshakes. A remote attacker could possibly use this issue to downgrade to
ECDH, removing forward secrecy from the ciphersuite. (CVE-2014-3572)
Antti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that
OpenSSL incorrectly handled certain certificate fingerprints. A remote
attacker could possibly use this issue to trick c
Red Hat
openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
vendor_redhat·2015-01-06·CVSS 4.3
CVE-2015-0204 [MEDIUM] CWE-327 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method.
Statement: This issue affects versions of openssl as shipped wit
Debian
CVE-2015-0204: openssl - The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0...
vendor_debian·2015·CVSS 4.3
CVE-2015-0204 [MEDIUM] CVE-2015-0204: openssl - The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0...
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
Scope: local
bookworm: resolved (fixed in 1.0.1k-1)
bullseye: resolved (fixed in 1.0.1k-1)
forky: resolved (fixed in 1.0.1k-1)
sid: resolved (fixed in 1.0.1k-1)
trixie: resolved (fixed in 1.0.1k-1)
Debian
CVE-2015-2319: mono - The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to cond...
vendor_debian·2015·CVSS 4.3
CVE-2015-2319 [MEDIUM] CVE-2015-2319: mono - The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to cond...
The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.
Scope: local
bookworm: resolved (fixed in 3.2.8+dfsg-10)
bullseye: resolved (fixed in 3.2.8+dfsg-10)
forky: resolved (fixed in 3.2.8+dfsg-10)
sid: resolved (fixed in 3.2.8+dfsg-10)
trixie: resolved (fixed in 3.2.8+dfsg-10)
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco
CVE-2014-8275 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
CVE-2014-8275: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Ellipti
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0204 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
CVE-2015-0204: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Ellipti
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco
CVE-2014-3570 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
CVE-2014-3570: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Ellipti
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco
CVE-2014-3572 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
CVE-2014-3572: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Ellipti
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0205 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
CVE-2015-0205: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Ellipti
Apple
CVE-2015-0204: OS X Yosemite v10.10.3 and Security Update 2015-004
vendor_apple·CVSS 4.3
CVE-2015-0204 [MEDIUM] CVE-2015-0204: OS X Yosemite v10.10.3 and Security Update 2015-004
Apple Security Update: About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004
Product: OS X Yosemite v10.10.3 and Security Update 2015-004
CVE: CVE-2015-0204
Component: CVE-2015-0204
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco
CVE-2014-3569 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
CVE-2014-3569: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Ellipti
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco
CVE-2014-3571 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
CVE-2014-3571: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Ellipti
Cisco
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0206 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
CVE-2015-0206: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Ellipti
GHSA
GHSA-wff6-5qmg-74j3: GSKit in IBM Tivoli Directory Server (ITDS) 6
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2015-0138 [MEDIUM] GHSA-wff6-5qmg-74j3: GSKit in IBM Tivoli Directory Server (ITDS) 6
GSKit in IBM Tivoli Directory Server (ITDS) 6.0 before 6.0.0.73-ISS-ITDS-IF0073, 6.1 before 6.1.0.66-ISS-ITDS-IF0066, 6.2 before 6.2.0.42-ISS-ITDS-IF0042, and 6.3 before 6.3.0.35-ISS-ITDS-IF0035 and IBM Security Directory Server (ISDS) 6.3.1 before 6.3.1.9-ISS-ISDS-IF0009 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.
GHSA
GHSA-rpmm-5q5g-56vf: The TLS stack in Mono before 3
ghsa_unreviewed·2022-05-14·CVSS 4.3
CVE-2015-2319 [MEDIUM] CWE-295 GHSA-rpmm-5q5g-56vf: The TLS stack in Mono before 3
The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.
GHSA
GHSA-2cqr-v8j2-59fq: Secure Transport in Apple iOS before 8
ghsa_unreviewed·2022-05-14·CVSS 4.3
CVE-2015-1067 [MEDIUM] GHSA-2cqr-v8j2-59fq: Secure Transport in Apple iOS before 8
Secure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, and Apple TV before 7.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1637.
GHSA
GHSA-ff55-77ff-xv8x: The ssl3_get_key_exchange function in s3_clnt
ghsa_unreviewed·2022-05-14
CVE-2015-0204 [MEDIUM] GHSA-ff55-77ff-xv8x: The ssl3_get_key_exchange function in s3_clnt
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
GHSA
GHSA-7cgm-fx9j-3rcr: EMC RSA BSAFE Micro Edition Suite (MES) 4
ghsa_unreviewed·2022-05-13·CVSS 4.3
CVE-2015-0535 [MEDIUM] CWE-327 GHSA-7cgm-fx9j-3rcr: EMC RSA BSAFE Micro Edition Suite (MES) 4
EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3 and RSA BSAFE SSL-C 2.8.9 and earlier do not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a similar issue to CVE-2015-0204.
GHSA
GHSA-h5m2-xvgx-vpw7: Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, W
ghsa_unreviewed·2022-05-13·CVSS 4.3
CVE-2015-1637 [MEDIUM] GHSA-h5m2-xvgx-vpw7: Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, W
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1067.
OSV
CVE-2015-2319: The TLS stack in Mono before 3
osv·2018-01-08·CVSS 4.3
CVE-2015-2319 [MEDIUM] CVE-2015-2319: The TLS stack in Mono before 3
The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.
OSV
openssl vulnerabilities
osv·2015-01-12·CVSS 5.0
CVE-2014-3570 [MEDIUM] openssl vulnerabilities
openssl vulnerabilities
Pieter Wuille discovered that OpenSSL incorrectly handled Bignum squaring.
(CVE-2014-3570)
Markus Stenberg discovered that OpenSSL incorrectly handled certain crafted
DTLS messages. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2014-3571)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
handshakes. A remote attacker could possibly use this issue to downgrade to
ECDH, removing forward secrecy from the ciphersuite. (CVE-2014-3572)
Antti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that
OpenSSL incorrectly handled certain certificate fingerprints. A remote
attacker could possibly use this issue to trick certain applications that
rely on the uniqueness of fingerprints.
OSV
CVE-2015-0204: The ssl3_get_key_exchange function in s3_clnt
osv·2015-01-09·CVSS 4.3
CVE-2015-0204 [MEDIUM] CVE-2015-0204: The ssl3_get_key_exchange function in s3_clnt
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
Suricata
ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
suricata·2015-03-11·CVSS 4.3
CVE-2015-0204 [MEDIUM] ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
Rule: alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:4; metadata:created_at 2015_03_11, cve CVE_2015_0204, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_
No public exploits indexed.
Tenable
[R3] LCE 5.0.0 Fixes Multiple Third-party Library Vulnerabilities
blogs_tenable·2017-01-31
[R3] LCE 5.0.0 Fixes Multiple Third-party Library Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Verizon 2016 DBIR – Most Interesting Things
blogs_tenable·2016-05-18
Verizon 2016 DBIR – Most Interesting Things
by Andrew Freeborn May 18, 2016
The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that organizations can use to check themselves against the common threats described in the Verizon DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, suggestions are given for monitoring the network for each of these patterns. This dashboard can ass
Tenable
Verizon 2016 DBIR – Most Common Vulnerabilities
blogs_tenable·2016-05-18
Verizon 2016 DBIR – Most Common Vulnerabilities
by Andrew Freeborn May 18, 2016
The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that can assist organizations in meeting many of the recommendations and best practices in the DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, suggestions are given for monitoring the network for each of these patterns. This ARC can assist an org
Tenable
[R6] OpenSSL '20150319' Advisory Affects Tenable Products
blogs_tenable·2015-03-29
[R6] OpenSSL '20150319' Advisory Affects Tenable Products
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Addressing CVE-2015-0204 FREAK with Qualys VM | Qualys
blogs_qualys·2015-03-06·CVSS 4.3
CVE-2015-0204 [MEDIUM] Addressing CVE-2015-0204 FREAK with Qualys VM | Qualys
This past year we have seen an overwhelming interest in SSL library exploits, and FREAK or "Factoring RSA EXPORT Keys" is another one. The full impact is yet to be known as the flaw was baked in the development of secure web communications, so browsers, web clients and hosts would negotiate the strongest encryption “allowed,” falling back to weaker, “export” protocols as required. The most updated list of browsers appears to include: Internet Explorer, Chrome on Mac OS and Android, Safari on Mac OS and iOS, Blackberry Browser, and Opera on Mac OS and Linux.
### Why It Is Important For You
Researchers have identified that a MITM attack is possible forcing HTTPS connections to use weaker and easier to crack encryption. This vulnerability affects clients that communicate with servers that o
Qualys
Addressing CVE-2015-0204 FREAK with Qualys VM | Qualys
blogs_qualys·2015-03-06·CVSS 4.3
[MEDIUM] Addressing CVE-2015-0204 FREAK with Qualys VM | Qualys
This past year we have seen an overwhelming interest in SSL library exploits, and FREAK or "Factoring RSA EXPORT Keys" is another one. The full impact is yet to be known as the flaw was baked in the development of secure web communications, so browsers, web clients and hosts would negotiate the strongest encryption “allowed,” falling back to weaker, “export” protocols as required. The most updated list of browsers appears to include: Internet Explorer, Chrome on Mac OS and Android, Safari on Mac OS and iOS, Blackberry Browser, and Opera on Mac OS and Linux.
## Why It Is Important For You
Researchers have identified that a MITM attack is possible forcing HTTPS connections to use weaker and easier to crack encryption. This vulnerability affects clients that communicate with servers that of
Tenable
Tenable Responds to CVE-2015-0204: FREAK Vulnerability
blogs_tenable·2015-03-04·CVSS 4.3
[MEDIUM] Tenable Responds to CVE-2015-0204: FREAK Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)
bugzilla·2015-05-06·CVSS 4.3
CVE-2015-0138 [MEDIUM] CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)
CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)
IBM JDK versions 5.0 SR16-FP10, 6 SR16-FP4, 6R1 SR8-FP4, 7 SR9, 7R1 SR3 and 8 SR1 correct an issue known as "FREAK" (Factoring RSA Export Keys). An SSL/TLS client using IBM JDK's JSSE can accept ephemeral RSA keys even when using non-export cipher suites. A MITM attacker could possibly use this flaw to impersonate server which enables export cipher suites. This issue is similar to CVE-2015-0204 (bug 1180184) which affected OpenSSL.
Description of the flaw in the IBM security bulletin:
A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA
HackerOne
FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
hackerone·2015-04-01·CVSS 4.3
[MEDIUM] FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
Many TLS servers, including those hosting sensitive websites such as
www.nsa.gov and connect.facebook.net, support weak EXPORT_RSA ciphersuites.
By factoring their 512-bit ephemeral RSA keys, a network attacker is able to impersonate
these websites to web browsers and more generally, to client applications relying on
vulnerable TLS libraries. We have demos showing these attacks at www.smacktls.com
Who's vulnerable
Vulnerable TLS client-side libraries (and web browsers) include:
- SecureTransport (used by Safari on iOS and OS X)
- SChannel (used by Internet Explorer)
- OpenSSL versions <= 1.0.1j (used by Android Browser and BlackBerry Browser)
- BoringSSL versions before Nov 10, 2014 (used by Chrome <= version 40 on OS X, iOS, An
Bugzilla
CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites [fedora-all]
bugzilla·2015-01-08·CVSS 4.3
CVE-2015-0204 [MEDIUM] CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites [fedora-all]
CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
bugzilla·2015-01-08·CVSS 4.3
CVE-2015-0204 [MEDIUM] CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
New release of OpenSSL [1] fixes the following issue:
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Upstream patches:
- master: https://github.com/openssl/openssl/commit/ce325c60c74b0fa784f5872404b722e120e5cab0
- 0.9.8: https://github.com/openssl/openssl/commit/72f181539118828ca966a0f8d03f6428e2bcf0d6
- 1.0.1: https://github.com/openssl/openssl/commit/37580f43b5a39f5f4e920d17273fab9713d3a744
[1]: https://www.openssl.org/news/changelog.html
Discussion:
Created openssl tracking bugs for this issue:
Affects: fedora-all [bug 1180189]
---
Upstre
arXiv
ASNM Datasets: A Collection of Network Traffic Features for Testing of Adversarial Classifiers and Network Intrusion Detectors
arxiv_fulltext·2019-10-23
ASNM Datasets: A Collection of Network Traffic Features for Testing of Adversarial Classifiers and Network Intrusion Detectors
ASNM Datasets: A Collection of Network Traffic Features for Testing of Adversarial Classifiers and Network Intrusion Detectors
Ivan Homoliak1
[email protected]
Petr Hanacek1
[email protected]
3.5cm
1Faculty of Information Technology, Brno University of Technology
## Abstract
In this paper, we present three datasets that have been built from network traffic traces using ASNM features, designed in our previous work.
The first dataset was built using a state-of-the-art dataset called CDX 2009, while the remaining two datasets were collected by us in 2015 and 2018, respectively.
These two datasets contain several adversarial obfuscation techniques that were applied onto malicious as well as legitimate traffic
samples during ``the execution'' of particular TCP network connections
arXiv
Secure by default - the case of TLS
arxiv_fulltext·2017-08-24
Secure by default - the case of TLS
Secure by default -- the case of TLS
Martin Stanek \ 1ex]
Department of Computer Science
Comenius University
@dcs.fmph.uniba.sk
## Abstract
Default configuration of various software applications often neglects security objectives.
We tested the default configuration of TLS in dozen web and application servers.
The results show that ``secure by default'' principle should be adopted more broadly
by developers and package maintainers. In addition, system administrators cannot
rely blindly on default security options.
: TLS, secure defaults, testing.
## Introduction
Security often depends on prudent configuration of software components used in a deployed
system. All necessary security controls and options are there, but one have
to turn them on or simply start using them. Unfortunately
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://marc.info/?l=bugtraq&m=142496179803395&w=2http://marc.info/?l=bugtraq&m=142496289803847&w=2http://marc.info/?l=bugtraq&m=142720981827617&w=2http://marc.info/?l=bugtraq&m=142721102728110&w=2http://marc.info/?l=bugtraq&m=142895206924048&w=2http://marc.info/?l=bugtraq&m=143213830203296&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144043644216842&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://marc.info/?l=bugtraq&m=144050205101530&w=2http://marc.info/?l=bugtraq&m=144050254401665&w=2http://marc.info/?l=bugtraq&m=144050297101809&w=2http://rhn.redhat.com/errata/RHSA-2015-0066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0800.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0849.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1650.htmlhttp://support.novell.com/security/cve/CVE-2015-0204.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-sslhttp://www-01.ibm.com/support/docview.wss?uid=swg21883640http://www-304.ibm.com/support/docview.wss?uid=swg21960769http://www.debian.org/security/2015/dsa-3125http://www.mandriva.com/security/advisories?name=MDVSA-2015:019http://www.mandriva.com/security/advisories?name=MDVSA-2015:062http://www.mandriva.com/security/advisories?name=MDVSA-2015:063http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.securityfocus.com/bid/71936http://www.securityfocus.com/bid/91787http://www.securitytracker.com/id/1033378https://bto.bluecoat.com/security-advisory/sa88https://bto.bluecoat.com/security-advisory/sa91https://exchange.xforce.ibmcloud.com/vulnerabilities/99707https://freakattack.com/https://github.com/openssl/openssl/commit/ce325c60c74b0fa784f5872404b722e120e5cab0https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241https://kc.mcafee.com/corporate/index?page=content&id=SB10102https://kc.mcafee.com/corporate/index?page=content&id=SB10108https://kc.mcafee.com/corporate/index?page=content&id=SB10110https://security.gentoo.org/glsa/201503-11https://support.apple.com/HT204659https://support.citrix.com/article/CTX216642https://www.openssl.org/news/secadv_20150108.txthttps://www.openssl.org/news/secadv_20150319.txthttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://marc.info/?l=bugtraq&m=142496179803395&w=2http://marc.info/?l=bugtraq&m=142496289803847&w=2http://marc.info/?l=bugtraq&m=142720981827617&w=2http://marc.info/?l=bugtraq&m=142721102728110&w=2http://marc.info/?l=bugtraq&m=142895206924048&w=2http://marc.info/?l=bugtraq&m=143213830203296&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144043644216842&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://marc.info/?l=bugtraq&m=144050205101530&w=2http://marc.info/?l=bugtraq&m=144050254401665&w=2http://marc.info/?l=bugtraq&m=144050297101809&w=2http://rhn.redhat.com/errata/RHSA-2015-0066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0800.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0849.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1650.htmlhttp://support.novell.com/security/cve/CVE-2015-0204.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl
+ 32 more references
2015-01-09
Published