Debian Security Advisory

DLA-0008-1 openssl -- LTS security update

Date Reported:
20 Jun 2014
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2014-0224, CVE-2012-4929.
More information:
  • CVE-2014-0224

    This update updates the upstream fix for CVE-2014-0224 to address problems with renegotiation under some conditions.

    original text: KIKUCHI Masashi discovered that carefully crafted handshakes can force the use of weak keys, resulting in potential man-in-the-middle attacks.

  • CVE-2012-4929

    ZLIB compression is now disabled by default. If you need to re-enable it for some reason, you can set the environment variable OPENSSL_NO_DEFAULT_ZLIB.

It's important that you upgrade the libssl0.9.8 package and not just the openssl package.

All applications linked to openssl need to be restarted. You can use the tool checkrestart from the package debian-goodies to detect affected programs or reboot your system.

For Debian 6 Squeeze, these issues have been fixed in openssl version 0.9.8o-4squeeze16