[ MDVSA-2014:203 ] openssl

Mandriva Linux Security Advisory                         MDVSA-2014:203
 http://www.mandriva.com/en/support/security/
 ____________________________________________________________
___________

 Package : openssl
 Date    : October 23, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in openssl:

 OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
 to block the ability for a MITM attacker to force a protocol
 downgrade. Some client applications (such as browsers) will reconnect
 using a downgraded protocol to work around interoperability bugs in
 older servers. This could be exploited by an active man-in-the-middle
 to downgrade connections to SSL 3.0 even if both sides of the
 connection support higher protocols. SSL 3.0 contains a number of
 weaknesses including POODLE (CVE-2014-3566).

 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
 integrity of that ticket is first verified. In the event of a session
 ticket integrity check failing, OpenSSL will fail to free memory
 causing a memory leak. By sending a large number of invalid session
 tickets an attacker could exploit this issue in a Denial Of Service
 attack (CVE-2014-3567).

 The updated packages have been upgraded to the 1.0.0o version where
 these security flaws has been fixed.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
 https://www.openssl.org/news/secadv_20141015.txt
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 054c36eb1d59a0556ab17a1627f869d2  mbs1/x86_64/lib64openssl1.0.0-1.0.0o-1.mbs1.x86_64.rpm
 aaff926dab60e6d5635afde92edd9c91  mbs1/x86_64/lib64openssl-devel-1.0.0o-1.mbs1.x86_64.rpm
 27a964cb0697f9a8d0c487db11928cca  mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0o-1.mbs1.x86_64.rpm
 012ccb3cd7acc23e33666290036d0ec9  mbs1/x86_64/lib64openssl-static-devel-1.0.0o-1.mbs1.x86_64.rpm
 dba56f5d00437cfb90c7fecaa7dc2e86  mbs1/x86_64/openssl-1.0.0o-1.mbs1.x86_64.rpm
 89ba517c11cc244d57ecb98ec4be4140  mbs1/SRPMS/openssl-1.0.0o-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com