Debian Security Advisory

DLA-0003-1 openssl -- LTS security update

Date Reported:
05 Jun 2014
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2014-0076, CVE-2014-0195, CVE-2014-0221, CVE-2014-3470, CVE-2014-0224.
More information:
  • CVE-2014-0195

    Jueri Aedla discovered that a buffer overflow in processing DTLS fragments could lead to the execution of arbitrary code or denial of service.

  • CVE-2014-0221

    Imre Rad discovered the processing of DTLS hello packets is susceptible to denial of service.

  • CVE-2014-0224

    KIKUCHI Masashi discovered that carefully crafted handshakes can force the use of weak keys, resulting in potential man-in-the-middle attacks.

  • CVE-2014-3470

    Felix Groebert and Ivan Fratric discovered that the implementation of anonymous ECDH ciphersuites is suspectible to denial of service.

  • CVE-2014-0076

    Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" Reported by Yuval Yarom and Naomi Benger.

Additional information can be found at

All applications linked to openssl need to be restarted. You can use the tool checkrestart from the package debian-goodies to detect affected programs or reboot your system.

It's important that you upgrade the libssl0.9.8 package and not just the openssl package.

For Debian 6 Squeeze, these issues have been fixed in openssl version 0.9.8o-4squeeze15