subject:"\[gentoo\-commits\] gentoo commit in xml\/htdocs\/security\/en\/glsa\: glsa\-201404\-07.xml"

[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201404-07.xml

2014-04-08 Thread Mikle Kolyada (zlogene)

zlogene 14/04/08 10:16:01

  Added:glsa-201404-07.xml
  Log:
  GLSA 201404-07

Revision  ChangesPath
1.1  xml/htdocs/security/en/glsa/glsa-201404-07.xml

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201404-07.xml?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201404-07.xml?rev=1.1&content-type=text/plain

Index: glsa-201404-07.xml
===



http://www.gentoo.org/dtd/glsa.dtd";>

  OpenSSL: Information Disclosure
  Multiple Information Disclosure vulnerabilities in OpenSSL allow
remote attackers to obtain sensitive information via various vectors.
  
  openssl
  April 08, 2014
  April 08, 2014: 1
  505278
  507074
  remote
  

  1.0.1g
  1.0.1g

  
  
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
  (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
  purpose cryptography library.

  
  
Multiple vulnerabilities have been found in OpenSSL:


  OpenSSL incorrectly handles memory in the TLS heartbeat extension,
leading to information disclosure of 64kb per request, possibly
including private keys (“Heartbleed bug”, OpenSSL 1.0.1 only,
CVE-2014-0160).
  
  The Montgomery ladder implementation of OpenSSL improperly handles
swap operations (CVE-2014-0076).
  

  
  
A remote attacker could exploit these issues to disclose information,
  including private keys or other sensitive information, or perform
  side-channel attacks to obtain ECDSA nonces.

  
  
Disabling the tls-heartbeat USE flag (enabled by default) provides a
  workaround for the CVE-2014-0160 issue.

  
  
All OpenSSL users should upgrade to the latest version:


  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"


Note: All services using OpenSSL to provide TLS connections have to be
  restarted for the update to take effect. Utilities like
  app-admin/lib_users can aid in identifying programs using OpenSSL.


As private keys may have been compromised using the Heartbleed attack,
  it is recommended to regenerate them.

  
  
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0076";>CVE-2014-0076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0160";>CVE-2014-0160
http://heartbleed.com/";>Heartbleed bug website
  
  a3li
  a3li

[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201404-07.xml

2014-04-10 Thread Alex Legler (a3li)

a3li14/04/10 07:26:09

  Modified: glsa-201404-07.xml
  Log:
  GLSA 201404-07: Exclude 0.9.8y

Revision  ChangesPath
1.2  xml/htdocs/security/en/glsa/glsa-201404-07.xml

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201404-07.xml?rev=1.2&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201404-07.xml?rev=1.2&content-type=text/plain
diff : 
http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201404-07.xml?r1=1.1&r2=1.2

Index: glsa-201404-07.xml
===
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/glsa/glsa-201404-07.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- glsa-201404-07.xml  8 Apr 2014 10:16:01 -   1.1
+++ glsa-201404-07.xml  10 Apr 2014 07:26:09 -  1.2
@@ -9,13 +9,14 @@
   
   openssl
   April 08, 2014
-  April 08, 2014: 1
+  April 10, 2014: 2
   505278
   507074
   remote
   
 
   1.0.1g
+  0.9.8y
   1.0.1g
 
   
@@ -73,5 +74,5 @@
 http://heartbleed.com/";>Heartbleed bug website
   
   a3li
-  a3li
+  a3li

[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201404-07.xml

[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201404-07.xml

2 matches

Site Navigation

Mail list logo

Footer information