[security-announce] OpenSSL: Security update (upgrade to 1.0.1j)

Sona Sarmadi sona.sarmadi at enea.com
Fri Apr 10 17:38:06 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: OpenSSL 1.0.1j

CVE Names (1.0.1g - 1.0.1j):

The upgrade from 1.0.1g to 1.0.1j addresses following CVEs:

OpenSSL 1.0.1h: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195
CVE-2014-0198, CVE-2010-5298, CVE-2014-3470

OpenSSL 1.0.1i: CVE-2014-3508, CVE-2014-5139, CVE-2014-3509
CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510
CVE-2014-3511, CVE-2014-3512

OpenSSL 1.0.1j CVE-2014-3513, CVE-2014-3567, CVE-2014-3568,
SSL 3.0 Fallback protection (CVE-2014-3566)
=========================================================
A security patch that upgrades OpenSSL to 1.0.1j version
is now available at http://linux.enea.com/4.0/patches:

README file: 0057-openssl-Upgrade-to-1.0.1j.README
Patch file: 0057-openssl-Upgrade-to-1.0.1j.patch

References:
==========
OpenSSL 1.0.1h
https://www.openssl.org/news/secadv_20140605.txt

OpenSSL 1.0.1i
https://www.openssl.org/news/secadv_20140806.txt

OpenSSL 1.0.1j
https://www.openssl.org/news/secadv_20141015.txt

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order.

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

This patch assumes that you have already applied all the existing
OpenSSL patches (list below):

0001-Fix-for-OpenSSL-security-vulnerabilities.patch
0003-Fix-for-OpenSSL-CVE-2014-3566.patch
0004-Fix-for-OpenSSL-CVE-2014-3513.patch
0005-Fix-for-OpenSSL-CVE-2014-3567.patch
0006-Fix-for-OpenSSL-CVE-2014-3568.patch
0053-openssl-multiple-CVEs-fixes.patch


The upgrade to OpenSSL 1.0.1j will remove the following patches
since the upgrade addresses these CVEs already:

0001-Fix-for-OpenSSL-security-vulnerabilities.patch
0003-Fix-for-OpenSSL-CVE-2014-3566.patch
0004-Fix-for-OpenSSL-CVE-2014-3513.patch
0005-Fix-for-OpenSSL-CVE-2014-3567.patch
0006-Fix-for-OpenSSL-CVE-2014-3568.patch

- - Fetch and apply the new patch
wget
http://linux.enea.com/4.0/patches/0057-openssl-Upgrade-to-1.0.1j.patch
patch -p1 < ./0057-openssl-Upgrade-to-1.0.1j.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVJ+5dAAoJEHc+9u9ocWoUsgEP/1RPRfcvmOJ1Hcoyjsz/DMQX
bq2foTM6wGIbc29EsgyisPDBZlSvBFO803PdmbbnbLb8uW7X8rXPg5Z01thxn2ga
a4GTwMcVPiw2XkoQohseWfnEKY/w+JYcVjrrheMrdYHKarFO2z6yDGywceIRJYRw
Me0YjVkC3kgDBNVYavs4ShoSJJUvMS0HdryaoYCkgDWWFhXFcKB0Ix/Ei2OS9Px7
/8Pk0/zcB5V3VtdBqaNnNBuUwLFPQ0Q0g+QOkzzh9ZXeEHoYckUAqQQ6R9gGLFv5
FLN0127hHCtcdeCh0kHwCBFdJuOOJbhH8wuX0ewbF7WurE0m5s+iXLnAVQVeWj5C
CVNW0n9L3t3ATvPl8iuWtSmhYFKMn4UqNl/nxcdXccXHzki7fRhDI9ZGuni4BjpO
n6FtC5YcDivJBhB1vrmleZD39OjBtuyZdhrw+ABcdTmDWC7o4zIsR4dmbiqlxQa7
EsqTY2NThmCCT7jOxR0rKHqDRyhOsLl9CQTCmJYrNdJ7FWq6wMn4eu/R0OAs5JTm
Rjy6/T2xZi5ml86yqan+n0mISbUh+y+SNFTMRnzHABaR9nxEg1B1xK9tUaXAbgXc
y5iZSzN7WbuYDUgC5PPwNuh6s+xHPLxef4/pjXIWQKkJQFEHgkgTI4vtPXEOo76X
Gui2RCWVxgbsoZdh08WX
=nV/H
-----END PGP SIGNATURE-----


More information about the security-announce mailing list