Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

29 vulnerabilities found for stunnel by stunnel

VAR-201406-0137

Vulnerability from variot - Updated: 2025-12-22 22:16

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DTLS packets. The issue lies in the assumption that all fragments specify the same message size. An attacker could leverage this vulnerability to execute code in the context of the process using OpenSSL. The following are vulnerable: OpenSSL 0.9.8 prior to 0.9.8za OpenSSL 1.0.0 prior to 1.0.0m OpenSSL 1.0.1 prior to 1.0.1h.

Resolution

All OpenSSL users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1h-r1"

References

[ 1 ] CVE-2010-5298 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5298 [ 2 ] CVE-2014-0195 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0195 [ 3 ] CVE-2014-0198 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0198 [ 4 ] CVE-2014-0221 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0221 [ 5 ] CVE-2014-0224 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0224 [ 6 ] CVE-2014-3470 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3470 [ 7 ] OpenSSL Security Advisory [05 Jun 2014] http://www.openssl.org/news/secadv_20140605.txt

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201407-05.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5 .

In addition this update disables ZLIB compress by default. If you need to re-enable it for some reason, you can set the environment variable OPENSSL_NO_DEFAULT_ZLIB.

This update also fixes a header declaration which could result in build failures in applications using OpenSSL. The updates are available from the following location using ftp:

ftp://srt03046:Secure12@ftp.usa.hp.com

User name: srt03046 Password: Secure12 ( NOTE: Case sensitive)

HP-UX Release HP-UX OpenSSL version

B.11.11 (11i v1) A.00.09.08za.001_HP-UX_B.11.11_32+64.depot

B.11.23 (11i v2) A.00.09.08za.002_HP-UX_B.11.23_IA-PA.depot

B.11.31 (11i v3) A.00.09.08za.003_HP-UX_B.11.31_IA-PA.depot

MANUAL ACTIONS: Yes - Update

Install OpenSSL A.00.09.08za or subsequent

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant. Summary

VMware product updates address OpenSSL security vulnerabilities. Problem Description

a. OpenSSL update for multiple products.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)

  has assigned the names CVE-2014-0224, CVE-2014-0198, 
  CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
  these issues. The most important of these issues is 
  CVE-2014-0224.

  CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
  be of moderate severity. Exploitation is highly unlikely or is
  mitigated due to the application configuration.

  CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL 
  Security Advisory (see Reference section below), do not affect
  any VMware products. Updating
  the server will mitigate this issue for both the server and all
  affected clients. For readability
  the affected products have been split into 3 tables below, 
  based on the different client-server configurations and
  deployment scenarios.

  MITIGATIONS

  Clients that communicate with a patched or non-vulnerable server
  are not vulnerable to CVE-2014-0224. Applying these patches to 
  affected servers will mitigate the affected clients (See Table 1
  below). can be mitigated by using a secure network such as 
  VPN (see Table 2 below).

  Clients and servers that are deployed on an isolated network are
  less exposed to CVE-2014-0224 (see Table 3 below). The affected
  products are typically deployed to communicate over the
  management network.

  RECOMMENDATIONS

  VMware recommends customers evaluate and deploy patches for
  affected Servers in Table 1 below as these patches become
  available. Patching these servers will remove the ability to
  exploit the vulnerability described in CVE-2014-0224 on both
  clients and servers. VMware recommends customers consider 
  applying patches to products listed in Table 2 & 3 as required.

  Column 4 of the following tables lists the action required to
  remediate the vulnerability in each release, if a solution is
  available.

  VMware                          Product  Running   Replace with/
  Product                         Version  on        Apply Patch 
  ==============                  =======  =======   =============
  ESXi                            5.5       ESXi     ESXi550-
                                                     201406401-SG

  Big Data Extensions             1.1                patch pending 
  Charge Back Manager             2.6                patch pending

  Horizon Workspace Server 
  GATEWAY                         1.8.1              patch pending 
  Horizon Workspace Server 
  GATEWAY                         1.5                patch pending

  Horizon Workspace Server 
  DATA                            1.8.1              patch pending

  Horizon Mirage Edge Gateway     4.4.2              patch pending 
  Horizon View                    5.3.1              patch pending

  Horizon View Feature Pack       5.3 SP2            patch pending

  NSX for Multi-Hypervisor        4.1.2              patch pending 
  NSX for Multi-Hypervisor        4.0.3              patch pending 
  NSX for vSphere                 6.0.4              patch pending 
  NVP                             3.2.2              patch pending 
  vCAC                            6.0.1              patch pending

  vCloud Networking and Security  5.5.2          patch pending 
  vCloud Networking and Security  5.1.2          patch pending

  vFabric Web Server              5.3.4              patch pending

  vCHS - DPS-Data Protection      2.0                patch pending 
  Service

  Table 2
  ========
  Affected clients running a vulnerable version of OpenSSL 0.9.8 
  or 1.0.1 and communicating over an untrusted network.

  VMware                          Product  Running   Replace with/
  Product                         Version  on        Apply Patch 
  ==============                  =======  =======   =============
  vCSA                            5.5                patch pending 
  vCSA                            5.1                patch pending 
  vCSA                            5.0                patch pending


  ESXi                            5.1       ESXi     patch pending 
  ESXi                            5.0       ESXi     patch pending

  Workstation                     10.0.2    any      patch pending 
  Workstation                     9.0.3     any      patch pending 
  Fusion                          6.x       OSX      patch pending 
  Fusion                          5.x       OSX      patch pending 
  Player                          10.0.2    any      patch pending 
  Player                          9.0.3     any      patch pending

  Chargeback Manager              2.5.x              patch pending

  Horizon Workspace Client for    1.8.1    OSX       patch pending 
  Mac
  Horizon Workspace Client for    1.5      OSX       patch pending 
  Mac
  Horizon Workspace Client for    1.8.1    Windows   patch pending 
  Windows       
  Horizon Workspace Client for    1.5      Windows   patch pending

  OVF Tool                        3.5.1              patch pending 
  OVF Tool                        3.0.1              patch pending

  vCenter Operations Manager      5.8.1              patch pending

  vCenter Support Assistant       5.5.0              patch pending 
  vCenter Support Assistant       5.5.1              patch pending

  vCD                             5.1.2              patch pending    
  vCD                             5.1.3              patch pending 
  vCD                             5.5.1.1            patch pending 
  vCenter Site Recovery Manager   5.0.3.1            patch pending

  Table 3
  =======
  The following table lists all affected clients running a
  vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
  over an untrusted network.

  VMware                          Product  Running   Replace with/
  Product                         Version  on        Apply Patch 
  ==============                  =======  =======   =============
  vCenter Server                  5.5       any      patch pending
  vCenter Server                  5.1       any      patch pending
  vCenter Server                  5.0       any      patch pending

  Update Manager                  5.5       Windows  patch pending
  Update Manager                  5.1       Windows  patch pending
  Update Manager                  5.0       Windows  patch pending

  Config Manager (VCM)            5.6                patch pending

  Horizon View Client             5.3.1              patch pending 
  Horizon View Client             4.x                patch pending
  Horizon Workspace               1.8.1              patch pending 
  Horizon Workspace               1.5                patch pending


  ITBM Standard                   1.0.1              patch pending 
  ITBM Standard                   1.0                patch pending

  Studio                          2.6.0.0            patch pending

  Usage Meter                     3.3                patch pending 
  vCenter Chargeback Manager      2.6                patch pending 
  vCenter Converter Standalone    5.5                patch pending 
  vCenter Converter Standalone    5.1                patch pending 
  vCD (VCHS)                      5.6.2              patch pending

  vCenter Site Recovery Manager   5.5.1              patch pending 
  vCenter Site Recovery Manager   5.1.1              patch pending

  vFabric Application Director    5.2.0              patch pending 
  vFabric Application Director    5.0.0              patch pending 
  View Client                     5.3.1              patch pending 
  View Client                     4.x                patch pending
  VIX API                         5.5                patch pending 
  VIX API                         1.12               patch pending

  vMA (Management Assistant)      5.1.0.1            patch pending


  VMware Data Recovery            2.0.3              patch pending

  VMware vSphere CLI              5.5                patch pending

  vSphere Replication             5.5.1              patch pending 
  vSphere Replication             5.6                patch pending 
  vSphere SDK for Perl            5.5                patch pending 
  vSphere Storage Appliance       5.5.1              patch pending 
  vSphere Storage Appliance       5.1.3              patch pending 
  vSphere Support Assistant       5.5.1              patch pending 
  vSphere Support Assistant       5.5.0              patch pending
  vSphere Virtual Disk            5.5                patch pending 
  Development Kit                  
  vSphere Virtual Disk            5.1                patch pending 
  Development Kit
  vSphere Virtual Disk            5.0                patch pending 
  Development Kit

Solution

ESXi 5.5

Download: https://www.vmware.com/patchmgr/download.portal

Release Notes and Remediation Instructions: http://kb.vmware.com/kb/2077359

Change Log

2014-06-10 VMSA-2014-0006 Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10

Contact

E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories http://www.vmware.com/security/advisories

VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html

Twitter https://twitter.com/VMwareSRC

The SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "POODLE", which could be exploited remotely resulting in disclosure of information.
HP StoreVirtual VSA Software 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4130 600GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4130 600GB China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 1TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 450GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 1TB MDL China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 450GB China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 900GB China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 FC 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 FC 900GB China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 2TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 3TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 450GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 600GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4630 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4730 600GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4730 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4730 FC 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 450GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 900GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 1TB MDL SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 3TB MDL SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 450GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4335 China Hybrid Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4335 Hybrid Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 4TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4130 600GB China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4130 600GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 1TB MDL China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 1TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 1TB MDL SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 450GB China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 450GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 450GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 900GB China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 900GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 FC 900GB China SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4330 FC 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4335 China Hybrid SAN Solution 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4335 China Hybrid Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4335 Hybrid SAN Solution 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4335 Hybrid Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 2TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 3TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 3TB MDL SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 450GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 450GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 4TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 600GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4530 600GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4630 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4730 600GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4730 600GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4730 900GB SAS Storage 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4730 900GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5
HP StoreVirtual 4730 FC 900GB SAS Storage 12.6, 12.5, 12.0, 11.5

BACKGROUND

CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2010-5298
  4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
  4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P)

CVE-2014-0076
  4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)

CVE-2014-0195
  7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2014-0198
  5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2014-0221
  5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2014-0224
  6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
  6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2014-3470
  5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2014-3566
  3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
  4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2016-0705
  9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION

HPE recommends applying the following software updates to resolve the vulnerabilities in the impacted versions of HPE StoreVirtual products running HPE LeftHand OS.

LeftHand OS v11.5 - Patches 45019-00 and 45020 LeftHand OS v12.0 - Patches 50016-00 and 50017-00 LeftHand OS v12.5 - Patch 55016-00 LeftHand OS v12.6 - Patch 56002-00

Notes:

These patches enable TLSv1.2 protocol and upgrades the OpenSSL RPM revision to OpenSSL v1.0.1e 48. These patches migrate Certificate Authority Hashing Algorithm from a weak hashing algorithm SHA1 to the stronger hashing algorithm SHA256. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

===================================================================== Red Hat Security Advisory

Synopsis: Important: openssl security update Advisory ID: RHSA-2014:0625-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0625.html Issue date: 2014-06-05 CVE Names: CVE-2010-5298 CVE-2014-0195 CVE-2014-0198 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 =====================================================================

Summary:

Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224)

Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433

A buffer overflow flaw was found in the way OpenSSL handled invalid DTLS packet fragments. (CVE-2014-0195)

Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. (CVE-2010-5298, CVE-2014-0198)

A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. (CVE-2014-0221)

A NULL pointer dereference flaw was found in the way OpenSSL performed anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially crafted handshake packet could cause a TLS/SSL client that has the anonymous ECDH cipher suite enabled to crash. (CVE-2014-3470)

Red Hat would like to thank the OpenSSL project for reporting these issues. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of CVE-2014-0224, Jüri Aedla as the original reporter of CVE-2014-0195, Imre Rad of Search-Lab as the original reporter of CVE-2014-0221, and Felix Gröbert and Ivan Fratrić of Google as the original reporters of CVE-2014-3470.

All OpenSSL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.

Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

Bugs fixed (https://bugzilla.redhat.com/):

1087195 - CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free 1093837 - CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference in do_ssl3_write() 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability 1103593 - CVE-2014-0221 openssl: DoS when sending invalid DTLS handshake 1103598 - CVE-2014-0195 openssl: Buffer overflow via DTLS invalid fragment 1103600 - CVE-2014-3470 openssl: client-side denial of service when using anonymous ECDH

Package List:

Red Hat Enterprise Linux Desktop (v. 6):