| Description: | Summary:
The remote host is missing an update for the 'openssl' package(s) announced via the SSA:2014-098-01 advisory.
Vulnerability Insight:
New openssl packages are available for Slackware 14.0, 14.1, and -current to
fix security issues.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/openssl-1.0.1g-i486-1_slack14.1.txz: Upgraded.
This update fixes two security issues:
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or server.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley and Bodo Moeller for
preparing the fix.
Fix for the attack described in the paper 'Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack'
by Yuval Yarom and Naomi Benger. Details can be obtained from:
[link moved to references]
For more information, see:
[links moved to references]
(* Security fix *)
patches/packages/openssl-solibs-1.0.1g-i486-1_slack14.1.txz: Upgraded.
+--------------------------+
Affected Software/OS:
'openssl' package(s) on Slackware 14.0, Slackware 14.1, Slackware current.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
