Skip to Content.
Sympa Menu

perfsonar-announce - Fwd: openssl security update

Subject: perfSONAR Announcements

List archive

Fwd: openssl security update

Chronological Thread 
  • From: Jason Zurawski <>
  • To: , perfsonar-announce <>
  • Cc:
  • Subject: Fwd: openssl security update
  • Date: Mon, 12 Jan 2015 13:23:19 -0500


Be aware of another set of announced openssl security vulnerabilities from upstream, information appears below.  The perfSONAR team has evaluated the risk and has determined that no changes to the configuration of a perfSONAR Toolkit are required, but the RPM that contains the SSL packages should be upgraded as soon as possible.  The CentOS project is aware of this issue, and should have updated RPMs for CentOS 6 shortly (announcements for CentOS 5 came out a little while ago - expect something soon).  

The perfSONAR project will keep watch on the situation and alert when its time to download patches. We will take this opportunity to remind everyone that the 3.4 version of the perfSONAR toolkit has a automatic update feature available:

Consider enabling this if you haven’t done so, and please upgrade to 3.4 if you haven’t done so. 



Begin forwarded message:

From: Salvatore Bonaccorso <>
Date: January 11, 2015 at 6:05:13 AM EST
Subject: [SECURITY] [DSA 3125-1] openssl security update

Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3125-1                                Salvatore Bonaccorso
January 11, 2015             
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2014-3569 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572
                CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:


   Frank Schmirler reported that the ssl23_get_client_hello function in
   OpenSSL does not properly handle attempts to use unsupported
   protocols. When OpenSSL is built with the no-ssl3 option and a SSL
   v3 ClientHello is received, the ssl method would be set to NULL which
   could later result in a NULL pointer dereference and daemon crash.


   Pieter Wuille of Blockstream reported that the bignum squaring
   (BN_sqr) may produce incorrect results on some platforms, which
   might make it easier for remote attackers to defeat cryptographic
   protection mechanisms.


   Markus Stenberg of Cisco Systems, Inc. reported that a carefully
   crafted DTLS message can cause a segmentation fault in OpenSSL due
   to a NULL pointer dereference. A remote attacker could use this flaw
   to mount a denial of service attack.


   Karthikeyan Bhargavan of the PROSECCO team at INRIA repor 

 ted that an
   OpenSSL client would accept a handshake using an ephemeral ECDH
   ciphersuite if the server key exchange message is omitted. This
   allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks
   and trigger a loss of forward secrecy.


   Antti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project
   and Konrad Kraszewski of Google reported various certificate
   fingerprint issues, which allow remote attackers to defeat a
   fingerprint-based certificate-blacklist protection mechanism.


   Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that
   an OpenSSL client will accept the use of an ephemeral RSA key in a
   non-export RSA key exchange ciphersuite, violating the TLS
   standard. This allows remote SSL servers to downgrade the security
   of the session.

   Karthikeyan Bhargavan of the PROSECCO team at INRIA reported that an
   OpenSSL server will accept a DH certificate for client
   authentication without the certificate verify message. This flaw
   effectively allows a client to authenticate without the use of a
   private key via crafted TLS handshake protocol traffic to a server
   that recognizes a certification authority with DH support.


   Chris Mueller discovered a memory leak in the dtls1_buffer_record
   function. A remote attacker could exploit this flaw to mount a
   denial of service through memory exhaustion by repeatedly sending
   specially crafted DTLS records.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u14.

For the upcoming stable distribution (jessie), these problems will be
fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.1k-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at:

Mailing list:
Version: GnuPG v1


  • Fwd: openssl security update, Jason Zurawski, 01/12/2015

Archive powered by MHonArc 2.6.16.

Top of Page