OpenSSL 1.0.1e-2+deb7u14 Debian Wheezy and CVE-2014-0224

Question

According to Debian security tracker CVE-2014-0224 vulnerability is fixed in OpenSSL 1.0.1e-2+deb7u10. https://security-tracker.debian.org/tracker/CVE-2014-0224

I have:

#apt-cache policy openssl
openssl:
  Installed: 1.0.1e-2+deb7u13
  Candidate: 1.0.1e-2+deb7u13

But when trying to pass PCI compliance test it fails with:

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-
Nmap scan report for static-ip-inaddr.ip-pool.com ()
Host is up (0.11s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-ccs-injection:
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
|     References:
|       http://www.cvedetails.com/cve/2014-0224
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt

Should I somehow (how?) install OpenSSL 1.0.1h in Debian Wheezy?

Related topics I've read but not sure if there is someting I can use: OpenSSL issues in Debian Wheezy Update openssl in debian squeeze

Yeah, but how do I convince them of it? They rejected my dispute. — user2606078, Dec 11 '14 at 06:11

OpenSSL 1.0.1e-2+deb7u14 Debian Wheezy and CVE-2014-0224

0 Answers0