rpm package
opensuse/libressl&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/libressl&distro=openSUSE%20Tumbleweed
Vulnerabilities (33)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-0205 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Jan 9, 2015 | The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowled | ||
| CVE-2014-8275 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Jan 9, 2015 | OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's u | ||
| CVE-2014-3572 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Jan 9, 2015 | The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message. | ||
| CVE-2014-3570 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Jan 9, 2015 | The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, relat | ||
| CVE-2014-3502 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Nov 15, 2014 | Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent. | ||
| CVE-2014-5139 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Aug 13, 2014 | The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiati | ||
| CVE-2014-3512 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Aug 13, 2014 | Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter. | ||
| CVE-2014-3511 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Aug 13, 2014 | The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, relat | ||
| CVE-2014-3510 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Aug 13, 2014 | The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in | ||
| CVE-2014-3509 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Aug 13, 2014 | Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application cra | ||
| CVE-2014-3508 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Aug 13, 2014 | The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive informat | ||
| CVE-2014-3507 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Aug 13, 2014 | Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return | ||
| CVE-2014-3506 | — | < 2.5.0-1.1 | 2.5.0-1.1 | Aug 13, 2014 | d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large |
- CVE-2015-0205Jan 9, 2015affected < 2.5.0-1.1fixed 2.5.0-1.1
The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowled
- CVE-2014-8275Jan 9, 2015affected < 2.5.0-1.1fixed 2.5.0-1.1
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's u
- CVE-2014-3572Jan 9, 2015affected < 2.5.0-1.1fixed 2.5.0-1.1
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
- CVE-2014-3570Jan 9, 2015affected < 2.5.0-1.1fixed 2.5.0-1.1
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, relat
- CVE-2014-3502Nov 15, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent.
- CVE-2014-5139Aug 13, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiati
- CVE-2014-3512Aug 13, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.
- CVE-2014-3511Aug 13, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, relat
- CVE-2014-3510Aug 13, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in
- CVE-2014-3509Aug 13, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application cra
- CVE-2014-3508Aug 13, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive informat
- CVE-2014-3507Aug 13, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return
- CVE-2014-3506Aug 13, 2014affected < 2.5.0-1.1fixed 2.5.0-1.1
d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large
Page 2 of 2