{"id":"USN-2308-1","summary":"openssl vulnerabilities","details":"Adam Langley and Wan-Teh Chang discovered that OpenSSL incorrectly handled\ncertain DTLS packets. A remote attacker could use this issue to cause\nOpenSSL to crash, resulting in a denial of service. (CVE-2014-3505)\n\nAdam Langley discovered that OpenSSL incorrectly handled memory when\nprocessing DTLS handshake messages. A remote attacker could use this issue\nto cause OpenSSL to consume memory, resulting in a denial of service.\n(CVE-2014-3506)\n\nAdam Langley discovered that OpenSSL incorrectly handled memory when\nprocessing DTLS fragments. A remote attacker could use this issue to cause\nOpenSSL to leak memory, resulting in a denial of service. This issue\nonly affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3507)\n\nIvan Fratric discovered that OpenSSL incorrectly leaked information in\nthe pretty printing functions. When OpenSSL is used with certain\napplications, an attacker may use this issue to possibly gain access to\nsensitive information. (CVE-2014-3508)\n\nGabor Tyukasz discovered that OpenSSL contained a race condition when\nprocessing serverhello messages. A malicious server could use this issue\nto cause clients to crash, resulting in a denial of service. This issue\nonly affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3509)\n\nFelix Gröbert discovered that OpenSSL incorrectly handled certain DTLS\nhandshake messages. A malicious server could use this issue to cause\nclients to crash, resulting in a denial of service. (CVE-2014-3510)\n\nDavid Benjamin and Adam Langley discovered that OpenSSL incorrectly\nhandled fragmented ClientHello messages. If a remote attacker were able to\nperform a machine-in-the-middle attack, this flaw could be used to force a\nprotocol downgrade to TLS 1.0. This issue only affected Ubuntu 12.04 LTS\nand Ubuntu 14.04 LTS. (CVE-2014-3511)\n\nSean Devlin and Watson Ladd discovered that OpenSSL incorrectly handled\ncertain SRP parameters. A remote attacker could use this with applications\nthat use SRP to cause a denial of service, or possibly execute arbitrary\ncode. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.\n(CVE-2014-3512)\n\nJoonas Kuorilehto and Riku Hietamäki discovered that OpenSSL incorrectly\nhandled certain Server Hello messages that specify an SRP ciphersuite. A\nmalicious server could use this issue to cause clients to crash, resulting\nin a denial of service. This issue only affected Ubuntu 12.04 LTS and\nUbuntu 14.04 LTS. (CVE-2014-5139)\n","modified":"2026-02-10T04:40:49Z","published":"2014-08-07T18:13:17Z","related":["UBUNTU-CVE-2014-3505","UBUNTU-CVE-2014-3506","UBUNTU-CVE-2014-3507","UBUNTU-CVE-2014-3508","UBUNTU-CVE-2014-3509","UBUNTU-CVE-2014-3510","UBUNTU-CVE-2014-3511","UBUNTU-CVE-2014-3512","UBUNTU-CVE-2014-5139"],"upstream":["CVE-2014-3505","CVE-2014-3506","CVE-2014-3507","CVE-2014-3508","CVE-2014-3509","CVE-2014-3510","CVE-2014-3511","CVE-2014-3512","CVE-2014-5139","UBUNTU-CVE-2014-3505","UBUNTU-CVE-2014-3506","UBUNTU-CVE-2014-3507","UBUNTU-CVE-2014-3508","UBUNTU-CVE-2014-3509","UBUNTU-CVE-2014-3510","UBUNTU-CVE-2014-3511","UBUNTU-CVE-2014-3512","UBUNTU-CVE-2014-5139"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2308-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3505"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3506"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3507"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3508"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3509"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3510"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3511"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3512"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-5139"}],"affected":[{"package":{"name":"openssl","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.5?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.1f-1ubuntu2.5"}]}],"versions":["1.0.1e-3ubuntu1","1.0.1e-4ubuntu1","1.0.1e-4ubuntu2","1.0.1e-4ubuntu3","1.0.1e-4ubuntu4","1.0.1f-1ubuntu1","1.0.1f-1ubuntu2","1.0.1f-1ubuntu2.1","1.0.1f-1ubuntu2.2","1.0.1f-1ubuntu2.3","1.0.1f-1ubuntu2.4"],"ecosystem_specific":{"binaries":[{"binary_name":"libssl-dev","binary_version":"1.0.1f-1ubuntu2.5"},{"binary_name":"libssl1.0.0","binary_version":"1.0.1f-1ubuntu2.5"},{"binary_name":"openssl","binary_version":"1.0.1f-1ubuntu2.5"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2308-1.json","cves_map":{"cves":[{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-3505"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-3506"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-3507"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-3508"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-3509"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-3510"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-3511"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-3512"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-5139"}],"ecosystem":"Ubuntu:14.04:LTS"}}}],"schema_version":"1.7.3"}