MNBSD-2015-0: OpenSSL multiple vulnerabilities (DTLS crash, ciphersuite downgrade, DER handling)

Severity: Unknown

Affected Package: openssl

Summary: OpenSSL multiple vulnerabilities (DTLS crash, ciphersuite downgrade, DER handling)

Description

Several OpenSSL security issues were fixed, including a NULL pointer dereference from a crafted DTLS message, a memory leak in dtls1_buffer_record, a NULL deref when built with no-ssl3, acceptance of ECDH ciphersuites without a server key exchange, acceptance of RSA temporary keys in non-export exchanges, acceptance of DH certificates without a certificate verify message, non-DER signature encoding acceptance, and incorrect BN_sqr results on some platforms. Impacts include denial of service and cryptographic downgrade.

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570

Published: January 14, 2015
Last Modified: January 14, 2015