CVE-2014-3566

NameCVE-2014-3566
DescriptionThe SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-157-1, DLA-282-1, DLA-400-1, DSA-3092-1, DSA-3144-1, DSA-3147-1, DSA-3253-1, DSA-3489-1
Debian Bugs765539, 765702, 765928, 768164, 769904, 769905, 771359

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bouncycastle (PTS)buster1.60-1fixed
buster (security)1.60-1+deb10u1fixed
bullseye1.68-2fixed
bookworm1.72-2fixed
sid, trixie1.77-1fixed
epiphany-browser (PTS)buster3.32.1.2-3~deb10u1vulnerable
buster (security)3.32.1.2-3~deb10u3vulnerable
bullseye (security), bullseye3.38.2-1+deb11u3vulnerable
bookworm43.1-1vulnerable
trixie46~beta-1vulnerable
sid46.0-1vulnerable
erlang (PTS)buster1:21.2.6+dfsg-1fixed
buster (security)1:22.2.7+dfsg-1+deb10u1fixed
bullseye1:23.2.6+dfsg-1+deb11u1fixed
bookworm1:25.2.3+dfsg-1fixed
trixie1:25.3.2.8+dfsg-1fixed
sid1:25.3.2.10+dfsg-1fixed
gnutls28 (PTS)buster3.6.7-4+deb10u8fixed
buster (security)3.6.7-4+deb10u12fixed
bullseye3.7.1-5+deb11u4fixed
bullseye (security)3.7.1-5+deb11u3fixed
bookworm3.7.9-2+deb12u2fixed
trixie3.8.3-1fixed
sid3.8.3-1.1fixed
haskell-tls (PTS)buster1.4.1-3fixed
bullseye1.5.4-1fixed
bookworm1.5.8-1fixed
sid, trixie1.6.0-1fixed
lighttpd (PTS)buster1.4.53-4+deb10u2fixed
buster (security)1.4.53-4+deb10u3fixed
bullseye (security), bullseye1.4.59-1+deb11u2fixed
bookworm1.4.69-1fixed
trixie1.4.74-1fixed
sid1.4.74-2fixed
midori (PTS)buster7.0-2vulnerable
bullseye7.0-2.1vulnerable
netsurf (PTS)bookworm, bullseye3.10-1fixed
sid, trixie3.11-1fixed
nss (PTS)buster2:3.42.1-1+deb10u5fixed
buster (security)2:3.42.1-1+deb10u8fixed
bullseye (security), bullseye2:3.61-1+deb11u3fixed
bookworm2:3.87.1-1fixed
sid, trixie2:3.98-1fixed
openjdk-8 (PTS)sid8u402-ga-4fixed
openssl (PTS)buster1.1.1n-0+deb10u3fixed
buster (security)1.1.1n-0+deb10u6fixed
bullseye1.1.1w-0+deb11u1fixed
bullseye (security)1.1.1n-0+deb11u5fixed
bookworm, bookworm (security)3.0.11-1~deb12u2fixed
trixie3.1.5-1fixed
sid3.1.5-1.1fixed
pound (PTS)bullseye3.0-2fixed
surf (PTS)buster2.0+git20181009-4vulnerable
bullseye2.0+git20201107-2vulnerable
bookworm2.1+git20221016-4vulnerable
sid, trixie2.1+git20221016-6vulnerable
wolfssl (PTS)bullseye4.6.0+p1-0+deb11u2fixed
bookworm5.5.4-2+deb12u1fixed
trixie5.6.6-1.2fixed
sid5.6.6-1.3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
arorasource(unstable)(unfixed)unimportant
bouncycastlesource(unstable)(not affected)
chromium-browsersourcesqueeze(unfixed)end-of-life
chromium-browsersourcewheezy(unfixed)end-of-life
chromium-browsersource(unstable)39.0.2171.71-1765928
conkerorsource(unstable)(unfixed)unimportant
cyasslsource(unstable)(unfixed)769905
dwbsource(unstable)(unfixed)unimportant
epiphany-browsersource(unstable)(unfixed)unimportant
erlangsource(unstable)1:17.3-dfsg-3771359
galeonsource(unstable)(unfixed)unimportant
gnutls26source(unstable)(unfixed)
gnutls28source(unstable)3.3.8-5769904
haskell-tlssource(unstable)1.2.9-2768164
icedovesourcesqueeze(unfixed)end-of-life
icedovesourcewheezy31.3.0-1~deb7u1DSA-3092-1
icedovesource(unstable)31.3.0-1
iceweaselsourcesqueeze(unfixed)end-of-life
iceweaselsource(unstable)31.2.0esr-2
kazehakasesource(unstable)(unfixed)unimportant
kde-baseappssource(unstable)(unfixed)unimportant
kdebasesource(unstable)(unfixed)unimportant
lighttpdsourcesqueeze1.4.28-2+squeeze1.7DLA-282-1
lighttpdsourcewheezy1.4.31-4+deb7u4DSA-3489-1
lighttpdsource(unstable)1.4.35-4765702
matrixsslsource(unstable)(unfixed)low
midorisource(unstable)(unfixed)unimportant
netsurfsource(unstable)3.6-1unimportant
nsssource(unstable)2:3.17.1-1
openjdk-6sourcesqueeze6b34-1.13.6-1~deb6u1DLA-157-1
openjdk-6sourcewheezy6b34-1.13.6-1~deb7u1DSA-3147-1
openjdk-6source(unstable)6b34-1.13.6-1
openjdk-7sourcewheezy7u75-2.5.4-1~deb7u1DSA-3144-1
openjdk-7source(unstable)7u75-2.5.4-1
openjdk-8source(unstable)8u40~b04-1
opensslsource(unstable)1.0.1j-1
polarsslsource(unstable)1.3.9-2
poundsourcesqueeze2.6-1+deb6u1DLA-400-1
poundsourcewheezy2.6-2+deb7u1DSA-3253-1
poundsourcejessie2.6-6+deb8u1DSA-3253-1
poundsource(unstable)2.6-6765539
surfsource(unstable)(unfixed)unimportant
tlslitesource(unstable)(unfixed)
uzblsource(unstable)(unfixed)unimportant
wolfsslsource(unstable)3.4.8+dfsg-1

Notes

- bouncycastle <not-affected> (SSLv3 needs to be explicitly enabled)
http://www.kb.cert.org/vuls/id/BLUU-9PYTFQ
wolfssl actually fixed with the initial upload to unstable after the rename
[wheezy] - openssl <no-dsa> (Will be addressed through a point update, #774299)
[squeeze] - openssl <no-dsa> (Change considered too risky)
[squeeze] - gnutls26 <no-dsa> (Minor issue)
[wheezy] - gnutls26 <no-dsa> (Minor issue)
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163
[wheezy] - haskell-tls <no-dsa> (Minor issue)
[squeeze] - matrixssl <no-dsa> (Minor issue)
[wheezy] - matrixssl <no-dsa> (Minor issue)
[squeeze] - nss <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
[wheezy] - nss <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
[squeeze] - polarssl <no-dsa> (Minor issue)
[wheezy] - polarssl <no-dsa> (Minor issue)
[squeeze] - pound <no-dsa> (Minor issue)
[wheezy] - tlslite <no-dsa> (Minor issue)
[squeeze] - erlang <no-dsa> (Minor issue)
[wheezy] - erlang <no-dsa> (Minor issue)
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html
This is only about the SSLv3 CBC padding, not about any downgrade attack or support for the fallback SCSV
Fix is to disable SSLv3 in library or application configurations
Browsers based on webkit (with the exception of Chromium) or khtml are not covered by security support

Search for package or bug name: Reporting problems