CVSS: 7.5EPSS: 26%CPEs: 25EXPL: 0CVE-2015-0206 – openssl: DTLS memory leak in dtls1_buffer_record
https://notcve.org/view.php?id=CVE-2015-0206
09 Jan 2015 — Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection. Fuga de memoria en la función dtls1_buffer_record en d1_pkt.c en OpenSSL 1.0.0 anterior a 1.0.0p y 1.0.1 anterior a 1.0.1k permite a atacantes remotos causar una denegación de servicio (consumo de memoria) mediante el envío de mu... • http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147938.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.0EPSS: 94%CPEs: 147EXPL: 6CVE-2014-3566 – SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://notcve.org/view.php?id=CVE-2014-3566
15 Oct 2014 — The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. El protocolo SSL 3.0, utilizado en OpenSSL hasta 1.0.1i y otros productos, utiliza relleno (padding) CBC no determinístico, lo que facilita a los atacantes man-in-the-middle obtener datos de texto plano a través de un ataque de relleno (padding) oracle, también conocid... • https://github.com/mikesplain/CVE-2014-3566-poodle-cookbook • CWE-310: Cryptographic Issues CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •
CVSS: 9.8EPSS: 24%CPEs: 34EXPL: 0CVE-2014-3567 – openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash
https://notcve.org/view.php?id=CVE-2014-3567
15 Oct 2014 — Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure. Fuga de memoria en la función tls_decrypt_ticket en t1_lib.c en OpenSSL anterior a 0.9.8zc, 1.0.0 anterior a 1.0.0o, y 1.0.1 anterior a 1.0.1j permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través d... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc • CWE-20: Improper Input Validation CWE-399: Resource Management Errors CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 4%CPEs: 34EXPL: 0CVE-2014-3568 – HP Security Bulletin HPSBOV03227
https://notcve.org/view.php?id=CVE-2014-3568
15 Oct 2014 — OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. OpenSSL anterior a 0.9.8zc, 1.0.0 anterior a 1.0.0o, y 1.0.1 anterior a 1.0.1j no fuerza correctamente la opción build no-ssl3, lo que permite a atacantes remotos evadir las restricciones de acceso a través de una negociación SSL 3.0, relacionado con s23_cln... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 30%CPEs: 13EXPL: 0CVE-2014-3513 – openssl: SRTP memory leak causes crash when using specially-crafted handshake message
https://notcve.org/view.php?id=CVE-2014-3513
15 Oct 2014 — Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message. Fuga de memoria en d1_srtp.c en la extensión DTLS SRTP en OpenSSL 1.0.1 anterior a 1.0.1j permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de un mensaje de negociación manipulado. A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc • CWE-20: Improper Input Validation CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 45%CPEs: 59EXPL: 0CVE-2014-3505 – openssl: DTLS packet processing double free
https://notcve.org/view.php?id=CVE-2014-3505
06 Aug 2014 — Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition. Vulnerabilidad de doble liberación en d1_both.c en la implementación DTLS en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.0.0n, y 1.0.1 anterior a 1.0.1i permite a atacantes remotos causar una denegación de servicio (caída de apl... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc • CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 7.5EPSS: 50%CPEs: 59EXPL: 0CVE-2014-3506 – openssl: DTLS memory exhaustion
https://notcve.org/view.php?id=CVE-2014-3506
06 Aug 2014 — d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values. d1_both.c en la implementación DTLS en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.0.0n, y 1.0.1 anterior a 1.0.1i permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través d... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 74%CPEs: 59EXPL: 1CVE-2014-3507 – openssl: DTLS memory leak from zero-length fragments
https://notcve.org/view.php?id=CVE-2014-3507
06 Aug 2014 — Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function. Fuga de memoria en d1_both.c en la implementación DTLS en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.0.0n, y 1.0.1 anterior a 1.0.1i permite a atacantes remotos causar una denegación de ... • https://github.com/Satheesh575555/openSSL_1.0.1g_CVE-2014-3507 • CWE-399: Resource Management Errors CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.9EPSS: 2%CPEs: 59EXPL: 0CVE-2014-3508 – openssl: information leak in pretty printing functions
https://notcve.org/view.php?id=CVE-2014-3508
06 Aug 2014 — The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. La función OBJ_obj2txt en crypto/objects/obj_dat.c en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 15%CPEs: 31EXPL: 0CVE-2014-3509 – openssl: race condition in ssl_parse_serverhello_tlsext
https://notcve.org/view.php?id=CVE-2014-3509
06 Aug 2014 — Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data. Condición de carrera en la función ssl_parse_serverhello_tlsext en t1_lib.c en OpenSSL 1.0.0 anterior a 1.0.0n y 1.... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •