{"id":"MGASA-2014-0416","summary":"Updated openssl packages fix security vulnerabilities","details":"This update adds support for the TLS Fallback Signaling Cipher Suite Value\n(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade\nattacks against applications which re-connect using a lower SSL/TLS\nprotocol version when the initial connection indicating the highest\nsupported protocol version fails.\n\nThis can prevent a forceful downgrade of the communication to SSL 3.0.\nThe SSL 3.0 protocol was found to be vulnerable to the padding oracle\nattack when using block cipher suites in cipher block chaining (CBC) mode.\nThis issue is identified as CVE-2014-3566, and also known under the alias\nPOODLE. This SSL 3.0 protocol flaw will not be addressed in a future\nupdate; it is recommended that users configure their applications to\nrequire at least TLS protocol version 1.0 for secure communication.\n\nFor additional information about this flaw, see the RedHat Knowledgebase\narticle in the references.\n\nA memory leak flaw was found in the way OpenSSL parsed the DTLS Secure\nReal-time Transport Protocol (SRTP) extension data. A remote attacker could\nsend multiple specially crafted handshake messages to exhaust all available\nmemory of an SSL/TLS or DTLS server (CVE-2014-3513).\n\nA memory leak flaw was found in the way an OpenSSL handled failed session\nticket integrity checks. A remote attacker could exhaust all available\nmemory of an SSL/TLS or DTLS server by sending a large number of invalid\nsession tickets to that server (CVE-2014-3567).\n","modified":"2026-04-16T06:26:22.313427447Z","published":"2014-10-23T13:27:57Z","upstream":["CVE-2014-3513","CVE-2014-3566","CVE-2014-3567"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0416.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=14296"},{"type":"WEB","url":"https://access.redhat.com/articles/1232123"},{"type":"WEB","url":"https://rhn.redhat.com/errata/RHSA-2014-1652.html"}],"affected":[{"package":{"name":"openssl","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/openssl?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.1e-1.11.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0416.json"}},{"package":{"name":"openssl","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/openssl?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.1e-8.8.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0416.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}