Debian OpenSSL vulnerabilities

CVE-2014-3571 [MEDIUM] CVE-2014-3571: openssl - OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remo... OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_

CVE-2014-3506 [MEDIUM] CVE-2014-3506: openssl - d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 befo... d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values. Scope: local bookworm: resolved (fixed in 1.0.1i-1) bullseye: resolved (f

CVE-2014-0195 [MEDIUM] CVE-2014-0195: openssl - The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1... The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment. Scope: local

CVE-2014-3572 [MEDIUM] CVE-2014-3572: openssl - The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0... The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message. Scope: local bookworm: resolved (fixed in 1.0.1k-1) bullseye: resolved (fixed in 1.0.1k-1) forky:

CVE-2014-8275 [MEDIUM] CVE-2014-8275: openssl - OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not en... OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/

CVE-2014-3568 [MEDIUM] CVE-2014-3568: openssl - OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not pr... OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. Scope: local bookworm: resolved (fixed in 1.0.1j-1) bullseye: resolved (fixed in 1.0.1j-1) forky: resolved (fixed

CVE-2014-3507 [MEDIUM] CVE-2014-3507: openssl - Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.... Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function. Scope: local bookworm: resolved (fixed in 1.0.1i-1)

CVE-2014-3509 [MEDIUM] CVE-2014-3509: openssl - Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenS... Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported P

CVE-2014-5139 [MEDIUM] CVE-2014-5139: openssl - The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i ... The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client. Scope: local bookworm: resolved (fixed in 1.0.1i

CVE-2014-3505 [MEDIUM] CVE-2014-3505: openssl - Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9... Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition. Scope: local bookworm: resolved (fixed in 1.0.1i-1) bullseye: resolved (fixed in 1.0.1i-1) fo

CVE-2014-3511 [MEDIUM] CVE-2014-3511: openssl - The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i... The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. Scope: local bookworm: resolved (fixed in 1.0.1i-1)

CVE-2014-3570 [MEDIUM] CVE-2014-3570: openssl - The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.... The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c. Scope:

CVE-2014-0221 [MEDIUM] CVE-2014-0221: openssl - The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, ... The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake. Scope: local bookworm: resolved (fixed in 1.0.1h-1) bullseye: resolved (fixed in 1.0.1h-1) forky: resolved

CVE-2014-3566 [LOW] CVE-2014-3566: bouncycastle - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses... The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2014-0076 [LOW] CVE-2014-0076: openssl - The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure t... The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. Scope: local bookworm: resolved (fixed in 1.0.1g-1) bullseye: resolved (fixed in 1.0.1g-1) forky: resolved (fixed in 1.0.1g-1

CVE-2014-2234 [MEDIUM] CVE-2014-2234: openssl - A certain Apple patch for OpenSSL in Apple OS X 10.9.2 and earlier uses a Trust ... A certain Apple patch for OpenSSL in Apple OS X 10.9.2 and earlier uses a Trust Evaluation Agent (TEA) feature without terminating certain TLS/SSL handshakes as specified in the SSL_CTX_set_verify callback function's documentation, which allows remote attackers to bypass extra verification within a custom application via a crafted certificate chain that is acceptabl

CVE-2013-6449 [MEDIUM] CVE-2013-6449: openssl - The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains ... The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. Scope: local bookworm: resolved (fixed in 1.0.1e-5) bullseye: resolved (fixed in 1.0.1e-5) forky: resolved (fixe

CVE-2013-4353 [MEDIUM] CVE-2013-4353: openssl - The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allow... The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake. Scope: local bookworm: resolved (fixed in 1.0.1f-1) bullseye: resolved (fixed in 1.0.1f-1) forky: resolved (fixed in 1.0.1

CVE-2013-0166 [MEDIUM] CVE-2013-0166: openssl - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not pro... OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. Scope: local bookworm: resolved (fixed in 1.0.1e-1) bullseye: resolved (fixed in 1.0.1e-1) forky: re

CVE-2013-0169 [LOW] CVE-2013-0169: bouncycastle - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenS... The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical anal