| Description: | Summary:
The remote host is missing an update for the Debian 'openssl' package(s) announced via the DLA-177-1 advisory.
Vulnerability Insight:
Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:
CVE-2015-0209
It was discovered that a malformed EC private key might result in memory corruption.
CVE-2015-0286
Stephen Henson discovered that the ASN1_TYPE_cmp() function can be crashed, resulting in denial of service.
CVE-2015-0287
Emilia Kaesper discovered a memory corruption in ASN.1 parsing.
CVE-2015-0288
It was discovered that missing input sanitising in the X509_to_X509_REQ() function might result in denial of service.
CVE-2015-0289
Michal Zalewski discovered a NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service.
CVE-2015-0292
It was discovered that missing input sanitising in base64 decoding might result in memory corruption.
CVE-2015-0293
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message.
For Debian 6 Squeeze, these issues have been fixed in openssl version 0.9.8o-4squeeze20
Affected Software/OS:
'openssl' package(s) on Debian 6.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
