Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2014-3569: openssl: remote denial of service when built with no-ssl3|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Marcus Meissner <meissner>|
|Component:||Incidents||Assignee:||Vítězslav Čížek <vcizek>|
|Status:||RESOLVED INVALID||QA Contact:||Security Team bot <security-team>|
|Priority:||P5 - None|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Marcus Meissner 2014-12-30 20:19:15 UTC
Comment 1 Marcus Meissner 2014-12-30 20:23:16 UTC
we still built with ssl3 even in factory. -> not affected by this problem.
Comment 2 Marcus Meissner 2014-12-30 20:24:21 UTC
CVE-2014-3569,20141230,NOTE:We so far are building openssl with ssl3 enabled, so this problem does not affect our packages.
Comment 3 Marcus Meissner 2015-01-08 16:09:38 UTC
openssl.org/news/secadv_20150108.txt no-ssl3 configuration sets method to NULL (CVE-2014-3569) ========================================================= Severity: Low When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The fix was developed by Kurt Roeckx.
Comment 4 Bernhard Wiedemann 2015-01-09 12:00:10 UTC
This is an autogenerated message for OBS integration: This bug (911399) was mentioned in https://build.opensuse.org/request/show/280570 Factory / openssl
Comment 5 Swamp Workflow Management 2015-01-23 19:05:21 UTC
openSUSE-SU-2015:0130-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 911399,912014,912015,912018,912292,912293,912294,912296 CVE References: CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206 Sources used: openSUSE 13.2 (src): openssl-1.0.1k-2.16.2 openSUSE 13.1 (src): openssl-1.0.1k-11.64.2