Bugzilla – Bug 934494
VUL-0: CVE-2014-8176: openssl,openssl1: Invalid free in DTLS
Last modified: 2017-02-21 06:24:07 UTC
https://openssl.org/news/secadv_20150611.txt Invalid free in DTLS (CVE-2014-8176) ==================================== Severity: Moderate This vulnerability does not affect current versions of OpenSSL. It existed in previous OpenSSL versions and was fixed in June 2014. If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages, buffering of such data may cause an invalid free, resulting in a segmentation fault or potentially, memory corruption. This issue affected older OpenSSL versions 1.0.1, 1.0.0 and 0.9.8. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. This issue was originally reported on March 28th 2014 in https://rt.openssl.org/Ticket/Display.html?id=3286 by Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google). A fix was developed by zhu qun-ying. The fix for this issue can be identified by commits bcc31166 (1.0.1), b79e6e3a (1.0.0) and 4b258e73 (0.9.8
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-06-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61984
bugbot adjusting priority
openSUSE-SU-2015:1139-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 931698,933898,933911,934487,934489,934491,934493,934494 CVE References: CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000 Sources used: openSUSE 13.2 (src): openssl-1.0.1k-2.24.1 openSUSE 13.1 (src): openssl-1.0.1k-11.72.1
SUSE-SU-2015:1185-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 929678,931698,933911,934487,934489,934491,934493,934494 CVE References: CVE-2014-8176,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-4000 Sources used: SUSE Linux Enterprise Security Module 11 SP3 (src): openssl1-1.0.1g-0.30.1
openSUSE-SU-2015:1277-1: An update that solves 16 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 912015,912018,912292,912293,912296,919648,920236,922496,922499,922500,931600,934487,934489,934491,934493,934494,937891 CVE References: CVE-2014-3570,CVE-2014-3572,CVE-2014-8176,CVE-2014-8275,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1792,CVE-2015-4000 Sources used: openSUSE 13.2 (src): libressl-2.2.1-2.3.1
posted note: This issue only affected openssl versions after openssl 0.9.8j, so openssl 0.9.8j on SUSE Linux Enterprise 11 or older versions are not affected.