SB2014011418 - Slackware Linux update for openssl

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014011418

SB2014011418 - Slackware Linux update for openssl

Published: January 14, 2014 Updated: May 6, 2017

Security Bulletin ID SB2014011418
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) NULL pointer dereference (CVE-ID: CVE-2013-4353)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted Next Protocol Negotiation record in a TLS handshake.


2) Cryptographic issues (CVE-ID: CVE-2013-6449)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.


3) Cryptographic issues (CVE-ID: CVE-2013-6450)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.


Remediation

Install update from vendor's website.

References