K 10
svn:author
V 7
delphij
K 8
svn:date
V 27
2014-09-09T10:09:46.179823Z
K 7
svn:log
V 1416
Fix multiple OpenSSL vulnerabilities:

The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
to consume large amounts of memory. [CVE-2014-3506]

The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
memory. [CVE-2014-3507]

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from
the stack. [CVE-2014-3508]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
a denial of service attack. [CVE-2014-3510]

If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory. [CVE-2014-3509]

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. [CVE-2014-3511]

A malicious client or server can send invalid SRP parameters and overrun
an internal buffer. [CVE-2014-3512]

A malicious server can crash the client with a NULL pointer dereference by
specifying a SRP ciphersuite even though it was not properly negotiated
with the client. [CVE-2014-5139]

Security:	CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510,
		CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139
Security:	FreeBSD-SA-14:18.openssl
Approved by:	so

END