{"id":"MGASA-2014-0255","summary":"Updated openssl packages fix multiple vulnerabilties","details":"Updated openssl packages fix security vulnerabilities:\n\nIt was found that OpenSSL clients and servers could be forced, via a\nspecially crafted handshake packet, to use weak keying material for\ncommunication. A man-in-the-middle attacker could use this flaw to decrypt\nand modify traffic between a client and a server. (CVE-2014-0224)\n\nNote: In order to exploit this flaw, both the server and the client must be\nusing a vulnerable version of OpenSSL; the server must be using OpenSSL\nversion 1.0.1 and above, and the client must be using any version of\nOpenSSL. For more information about this flaw, refer to RedHat article\n904433 in the references. All currently supported versions of Mageia are\nrunning OpenSSL 1.0.1.\n\nA buffer overflow flaw was found in the way OpenSSL handled invalid DTLS\npacket fragments. A remote attacker could possibly use this flaw to execute\narbitrary code on a DTLS client or server. (CVE-2014-0195)\n\nA denial of service flaw was found in the way OpenSSL handled certain DTLS\nServerHello requests. A specially crafted DTLS handshake packet could cause\na DTLS client using OpenSSL to crash. (CVE-2014-0221)\n\nA NULL pointer dereference flaw was found in the way OpenSSL performed\nanonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially\ncrafted handshake packet could cause a TLS/SSL client that has the\nanonymous ECDH cipher suite enabled to crash. (CVE-2014-3470)\n","modified":"2026-04-16T00:11:19.884075265Z","published":"2014-06-06T10:31:01Z","upstream":["CVE-2014-0195","CVE-2014-0221","CVE-2014-0224","CVE-2014-3470"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0255.html"},{"type":"WEB","url":"https://www.openssl.org/news/secadv_20140605.txt"},{"type":"WEB","url":"https://access.redhat.com/site/articles/904433"},{"type":"WEB","url":"https://rhn.redhat.com/errata/RHSA-2014-0625.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=13484"}],"affected":[{"package":{"name":"openssl","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/openssl?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.1e-1.9.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0255.json"}},{"package":{"name":"openssl","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/openssl?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.1e-8.6.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0255.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}