usn-2308-1
Vulnerability from osv_ubuntu
Published
2014-08-07 18:13
Modified
2026-04-22 07:36
Summary
openssl vulnerabilities
Details

Adam Langley and Wan-Teh Chang discovered that OpenSSL incorrectly handled certain DTLS packets. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2014-3505)

Adam Langley discovered that OpenSSL incorrectly handled memory when processing DTLS handshake messages. A remote attacker could use this issue to cause OpenSSL to consume memory, resulting in a denial of service. (CVE-2014-3506)

Adam Langley discovered that OpenSSL incorrectly handled memory when processing DTLS fragments. A remote attacker could use this issue to cause OpenSSL to leak memory, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3507)

Ivan Fratric discovered that OpenSSL incorrectly leaked information in the pretty printing functions. When OpenSSL is used with certain applications, an attacker may use this issue to possibly gain access to sensitive information. (CVE-2014-3508)

Gabor Tyukasz discovered that OpenSSL contained a race condition when processing serverhello messages. A malicious server could use this issue to cause clients to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3509)

Felix Gröbert discovered that OpenSSL incorrectly handled certain DTLS handshake messages. A malicious server could use this issue to cause clients to crash, resulting in a denial of service. (CVE-2014-3510)

David Benjamin and Adam Langley discovered that OpenSSL incorrectly handled fragmented ClientHello messages. If a remote attacker were able to perform a machine-in-the-middle attack, this flaw could be used to force a protocol downgrade to TLS 1.0. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3511)

Sean Devlin and Watson Ladd discovered that OpenSSL incorrectly handled certain SRP parameters. A remote attacker could use this with applications that use SRP to cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3512)

Joonas Kuorilehto and Riku Hietamäki discovered that OpenSSL incorrectly handled certain Server Hello messages that specify an SRP ciphersuite. A malicious server could use this issue to cause clients to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5139)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2014-3505",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2014-3506",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2014-3507",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2014-3508",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2014-3509",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2014-3510",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2014-3511",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2014-3512",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2014-5139",
              "severity": [
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:14.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "libssl1.0.0",
            "binary_version": "1.0.1f-1ubuntu2.5"
          },
          {
            "binary_name": "openssl",
            "binary_version": "1.0.1f-1ubuntu2.5"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:14.04:LTS",
        "name": "openssl",
        "purl": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.5?arch=source\u0026distro=trusty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1f-1ubuntu2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.1e-3ubuntu1",
        "1.0.1e-4ubuntu1",
        "1.0.1e-4ubuntu2",
        "1.0.1e-4ubuntu3",
        "1.0.1e-4ubuntu4",
        "1.0.1f-1ubuntu1",
        "1.0.1f-1ubuntu2",
        "1.0.1f-1ubuntu2.1",
        "1.0.1f-1ubuntu2.2",
        "1.0.1f-1ubuntu2.3",
        "1.0.1f-1ubuntu2.4"
      ]
    }
  ],
  "aliases": [],
  "details": "Adam Langley and Wan-Teh Chang discovered that OpenSSL incorrectly handled\ncertain DTLS packets. A remote attacker could use this issue to cause\nOpenSSL to crash, resulting in a denial of service. (CVE-2014-3505)\n\nAdam Langley discovered that OpenSSL incorrectly handled memory when\nprocessing DTLS handshake messages. A remote attacker could use this issue\nto cause OpenSSL to consume memory, resulting in a denial of service.\n(CVE-2014-3506)\n\nAdam Langley discovered that OpenSSL incorrectly handled memory when\nprocessing DTLS fragments. A remote attacker could use this issue to cause\nOpenSSL to leak memory, resulting in a denial of service. This issue\nonly affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3507)\n\nIvan Fratric discovered that OpenSSL incorrectly leaked information in\nthe pretty printing functions. When OpenSSL is used with certain\napplications, an attacker may use this issue to possibly gain access to\nsensitive information. (CVE-2014-3508)\n\nGabor Tyukasz discovered that OpenSSL contained a race condition when\nprocessing serverhello messages. A malicious server could use this issue\nto cause clients to crash, resulting in a denial of service. This issue\nonly affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3509)\n\nFelix Gr\u00f6bert discovered that OpenSSL incorrectly handled certain DTLS\nhandshake messages. A malicious server could use this issue to cause\nclients to crash, resulting in a denial of service. (CVE-2014-3510)\n\nDavid Benjamin and Adam Langley discovered that OpenSSL incorrectly\nhandled fragmented ClientHello messages. If a remote attacker were able to\nperform a machine-in-the-middle attack, this flaw could be used to force a\nprotocol downgrade to TLS 1.0. This issue only affected Ubuntu 12.04 LTS\nand Ubuntu 14.04 LTS. (CVE-2014-3511)\n\nSean Devlin and Watson Ladd discovered that OpenSSL incorrectly handled\ncertain SRP parameters. A remote attacker could use this with applications\nthat use SRP to cause a denial of service, or possibly execute arbitrary\ncode. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.\n(CVE-2014-3512)\n\nJoonas Kuorilehto and Riku Hietam\u00e4ki discovered that OpenSSL incorrectly\nhandled certain Server Hello messages that specify an SRP ciphersuite. A\nmalicious server could use this issue to cause clients to crash, resulting\nin a denial of service. This issue only affected Ubuntu 12.04 LTS and\nUbuntu 14.04 LTS. (CVE-2014-5139)\n",
  "id": "USN-2308-1",
  "modified": "2026-04-22T07:36:31Z",
  "published": "2014-08-07T18:13:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-2308-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-3505"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-3506"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-3507"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-3508"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-3509"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-3510"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-3511"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-3512"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2014-5139"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "openssl vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2014-3505",
    "UBUNTU-CVE-2014-3506",
    "UBUNTU-CVE-2014-3507",
    "UBUNTU-CVE-2014-3508",
    "UBUNTU-CVE-2014-3509",
    "UBUNTU-CVE-2014-3510",
    "UBUNTU-CVE-2014-3511",
    "UBUNTU-CVE-2014-3512",
    "UBUNTU-CVE-2014-5139"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…