Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Slackware-14.1 ChangeLog (2014-10-15) ====== ====== Wed Oct 15 17:28:59 UTC 2014 ====== ===== Packages ===== ==== Upgraded ==== * [[slackware.14.1>patches/packages/openssl-solibs-1.0.1j-i486-1_slack14.1.txz]] \\ (* Security fix *) * [[slackware.14.1>patches/packages/openssl-1.0.1j-i486-1_slack14.1.txz]] \\ This update fixes several security issues: \\ SRTP Memory Leak (CVE-2014-3513): \\ A flaw in the DTLS SRTP extension parsing code allows an attacker, who \\ sends a carefully crafted handshake message, to cause OpenSSL to fail \\ to free up to 64k of memory causing a memory leak. This could be \\ exploited in a Denial Of Service attack. \\ Session Ticket Memory Leak (CVE-2014-3567): \\ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the \\ integrity of that ticket is first verified. In the event of a session \\ ticket integrity check failing, OpenSSL will fail to free memory \\ causing a memory leak. By sending a large number of invalid session \\ tickets an attacker could exploit this issue in a Denial Of Service \\ attack. \\ SSL 3.0 Fallback protection: \\ OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications \\ to block the ability for a MITM attacker to force a protocol \\ downgrade. \\ Some client applications (such as browsers) will reconnect using a \\ downgraded protocol to work around interoperability bugs in older \\ servers. This could be exploited by an active man-in-the-middle to \\ downgrade connections to SSL 3.0 even if both sides of the connection \\ support higher protocols. SSL 3.0 contains a number of weaknesses \\ including POODLE (CVE-2014-3566). \\ Build option no-ssl3 is incomplete (CVE-2014-3568): \\ When OpenSSL is configured with "no-ssl3" as a build option, servers \\ could accept and complete a SSL 3.0 handshake, and clients could be \\ configured to send them. \\ For more information, see: \\ https://www.openssl.org/news/secadv_20141015.txt \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568 \\ (* Security fix *) {{tag>slackware changelog slackware-14.1 2014-10}} news/2014/10/15/slackware-14.1-changelog.txt Last modified: 8 months agoby Giuseppe Di Terlizzi Log In