SUSE ประกาศออกอัพเดตเวอร์ชั่นใหม่ openssl 1.0.1h อุด 7 ช่องโหว่

หลังจากที่โครงการ openssl ประกาศออกอัพเดตเวอร์ชั่นใหม่ openssl 1.0.1h

Today the openssl project released a new version of the openssl library (openssl-1.0.1h) that fixes six/seven vulnerabilities. Details about the
vulnerabilities can be found in their advisory: //www.openssl.org/news/secadv_20140605.txt

List of issues:
1. SSL/TLS MITM vulnerability (CVE-2014-0224)
2. DTLS recursion flaw (CVE-2014-0221)
3. DTLS invalid fragment vulnerability (CVE-2014-0195)
4. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
5. SSL_MODE_RELEASE_BUFFERS session injection or denial of service
(CVE-2010-5298)
6. Anonymous ECDH denial of service (CVE-2014-3470)
7. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD
(CVE-2014-0076)

We ship the following openssl versions which are affected by…:
– – SLES9: openssl 0.9.7d
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
– – SLE10: openssl 0.9.8a
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
– – SLE11: openssl 0.9.8j
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ Anonymous ECDH denial of service (CVE-2014-3470)
– – Security AddON for SLES11: openssl 1.0.1g
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ DTLS invalid fragment vulnerability (CVE-2014-0195)
+ SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
(CVE-2014-0198)
+ Anonymous ECDH denial of service (CVE-2014-3470)
– – opensuse: openssl 1.0.1*
+ SSL/TLS MITM vulnerability (CVE-2014-0224)
+ DTLS recursion flaw (CVE-2014-0221)
+ DTLS invalid fragment vulnerability (CVE-2014-0195)
+ SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
(CVE-2014-0198)
+ Anonymous ECDH denial of service (CVE-2014-3470)

An update package for CVE-2014-0076 was released in April 2014, see
//lists.opensuse.org/opensuse-updates/2014-04/msg00007.html.

DTLS invalid fragment vulnerability (CVE-2014-0195): This issue affects
only versions starting from 0.9.8o, therefore 0.9.8j is not affected by
this remote buffer overflow.

source: อีเมล Team Leader MaintenanceSecurity, CSSLP SUSE LINUX Products GmbH