Univention Bugzilla – Bug 36170
openssl: Multiple issues (3.2)
Last modified: 2014-12-17 15:38:57 CET
CVE-2014-3566 This will requires fixes in openssl, gnutls and nss. Firefox also needs a fix since it uses a local nss copy. (There are additional Firefox issues, so I'll file a separate bug). http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html https://www.openssl.org/~bodo/ssl-poodle.pdf
Additional issues have been reported/fixed: Denial of service through memory leak in session ticket validation (CVE-2014-3567) A a mechanism to counter downgrade attacks to SSL3 (TLS_FALLBACK_SCSV) (CVE-2014-3566) The build option no-ssl3 didn't work as expected (CVE-2014-3568)
squeeze-lts imported. Tests (amd64): OK Advisory: 2014-12-01-openssl.yaml
OK: aptitude install '?source-package(openssl)?installed' OK: amd64 OK: i386 OK: zless /usr/share/doc/openssl/changelog.Debian.gz OK: univention-certificate new -name foo OK: openssl verify -CAfile ucsCA/CAcert.pem -purpose any foo/cert.pem OK: univention-ldapsearch -ZZ OK: (printf 'GET / HTTP/1.1\r\nHost: www.univention.de\r\n\r\n';sleep 1)|openssl s_client -host www.univention.de -port 443 FIXED: 2014-12-01-openssl.yaml r56923 | Bug #36170 OpenSSL: YAML fixes OK: errata-announce --validate-bugzilla -V 2014-12-01-openssl.yaml
http://errata.univention.de/ucs/3.2/257.html