Name | CVE-2014-3566 |
Description | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-157-1, DLA-282-1, DLA-400-1, DSA-3092-1, DSA-3144-1, DSA-3147-1, DSA-3253-1, DSA-3489-1 |
Debian Bugs | 765539, 765702, 765928, 768164, 769904, 769905, 771359 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
arora (PTS) | jessie | 0.11.0+qt5+git2014-04-06-1 | vulnerable |
bouncycastle (PTS) | jessie, jessie (lts) | 1.49+dfsg-3+deb8u3 | fixed |
| stretch (security) | 1.56-1+deb9u3 | fixed |
| stretch (lts), stretch | 1.56-1+deb9u4 | fixed |
| buster (security), buster, buster (lts) | 1.60-1+deb10u1 | fixed |
| bullseye | 1.68-2 | fixed |
| bookworm | 1.72-2 | fixed |
| sid, trixie | 1.77-1 | fixed |
chromium-browser (PTS) | jessie, jessie (lts) | 57.0.2987.98-1~deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 71.0.3578.80-1~deb9u1 | fixed |
conkeror (PTS) | jessie | 1.0~~pre-1+git141025-1+deb8u2 | vulnerable |
| stretch | 1.0.3+git170123-1 | vulnerable |
dwb (PTS) | jessie | 20140702hg-2 | vulnerable |
epiphany-browser (PTS) | jessie | 3.14.1-1 | vulnerable |
| stretch | 3.22.7-1 | vulnerable |
| buster (security), buster, buster (lts) | 3.32.1.2-3~deb10u3 | vulnerable |
| bullseye (security), bullseye | 3.38.2-1+deb11u3 | vulnerable |
| bookworm | 43.1-1 | vulnerable |
| trixie | 47.0-1 | vulnerable |
| sid | 47.2-1 | vulnerable |
erlang (PTS) | jessie, jessie (lts) | 1:17.3-dfsg-4+deb8u2 | fixed |
| stretch (security) | 1:19.2.1+dfsg-2+deb9u1 | fixed |
| stretch (lts), stretch | 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u2 | fixed |
| buster (security), buster, buster (lts) | 1:22.2.7+dfsg-1+deb10u1 | fixed |
| bullseye | 1:23.2.6+dfsg-1+deb11u1 | fixed |
| bookworm | 1:25.2.3+dfsg-1 | fixed |
| trixie | 1:25.3.2.12+dfsg-3 | fixed |
| sid | 1:27.1.2+dfsg-1 | fixed |
gnutls28 (PTS) | jessie, jessie (lts) | 3.3.30-0+deb8u2 | fixed |
| stretch (security) | 3.5.8-5+deb9u6 | fixed |
| stretch (lts), stretch | 3.5.8-5+deb9u7 | fixed |
| buster (security), buster, buster (lts) | 3.6.7-4+deb10u12 | fixed |
| bullseye | 3.7.1-5+deb11u5 | fixed |
| bullseye (security) | 3.7.1-5+deb11u6 | fixed |
| bookworm | 3.7.9-2+deb12u3 | fixed |
| sid, trixie | 3.8.8-2 | fixed |
haskell-tls (PTS) | jessie | 1.2.9-2 | fixed |
| stretch | 1.3.8-3 | fixed |
| buster | 1.4.1-3 | fixed |
| bullseye | 1.5.4-1 | fixed |
| bookworm | 1.5.8-1 | fixed |
| sid, trixie | 1.8.0-1 | fixed |
icedove (PTS) | jessie | 1:52.3.0-4~deb8u2 | fixed |
kde-baseapps (PTS) | jessie | 4:4.14.2-1 | vulnerable |
| stretch | 4:16.08.3-1 | vulnerable |
lighttpd (PTS) | jessie, jessie (lts) | 1.4.35-4+deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 1.4.45-1+deb9u1 | fixed |
| buster (security), buster, buster (lts) | 1.4.53-4+deb10u3 | fixed |
| bullseye (security), bullseye | 1.4.59-1+deb11u2 | fixed |
| bookworm | 1.4.69-1 | fixed |
| sid, trixie | 1.4.76-1 | fixed |
midori (PTS) | stretch | 0.5.11-ds1-4 | vulnerable |
| buster | 7.0-2 | vulnerable |
| bullseye | 7.0-2.1 | vulnerable |
netsurf (PTS) | jessie | 3.2+dfsg-2 | vulnerable |
| stretch | 3.6-3.1 | fixed |
| bullseye, bookworm | 3.10-1 | fixed |
| sid, trixie | 3.11-2 | fixed |
nss (PTS) | jessie, jessie (lts) | 2:3.26-1+debu8u19 | fixed |
| stretch (security) | 2:3.26.2-1.1+deb9u5 | fixed |
| stretch (lts), stretch | 2:3.26.2-1.1+deb9u8 | fixed |
| buster, buster (lts) | 2:3.42.1-1+deb10u9 | fixed |
| buster (security) | 2:3.42.1-1+deb10u8 | fixed |
| bullseye | 2:3.61-1+deb11u3 | fixed |
| bullseye (security) | 2:3.61-1+deb11u4 | fixed |
| bookworm | 2:3.87.1-1 | fixed |
| bookworm (security) | 2:3.87.1-1+deb12u1 | fixed |
| sid, trixie | 2:3.106-1 | fixed |
openjdk-7 (PTS) | jessie, jessie (lts) | 7u321-2.6.28-0+deb8u1 | fixed |
openjdk-8 (PTS) | jessie, jessie (lts) | 8u432-b06-2~deb8u1 | fixed |
| stretch (security) | 8u332-ga-1~deb9u1 | fixed |
| stretch (lts), stretch | 8u432-b06-2~deb9u1 | fixed |
| sid | 8u432-b06-2 | fixed |
openssl (PTS) | jessie, jessie (lts) | 1.0.1t-1+deb8u22 | fixed |
| stretch (security) | 1.1.0l-1~deb9u6 | fixed |
| stretch (lts), stretch | 1.1.0l-1~deb9u10 | fixed |
| buster, buster (lts) | 1.1.1n-0+deb10u7 | fixed |
| buster (security) | 1.1.1n-0+deb10u6 | fixed |
| bullseye | 1.1.1w-0+deb11u1 | fixed |
| bullseye (security) | 1.1.1w-0+deb11u2 | fixed |
| bookworm | 3.0.15-1~deb12u1 | fixed |
| bookworm (security) | 3.0.14-1~deb12u2 | fixed |
| sid, trixie | 3.3.2-2 | fixed |
polarssl (PTS) | jessie, jessie (lts) | 1.3.9-2.1+deb8u4 | fixed |
pound (PTS) | jessie, jessie (lts) | 2.6-6+deb8u3 | fixed |
| stretch | 2.7-1.3+deb9u1 | fixed |
| bullseye | 3.0-2 | fixed |
| sid, trixie | 4.15-1 | fixed |
surf (PTS) | jessie | 0.6-1 | vulnerable |
| stretch | 0.7-2 | vulnerable |
| buster | 2.0+git20181009-4 | vulnerable |
| bullseye | 2.0+git20201107-2 | vulnerable |
| bookworm | 2.1+git20221016-4 | vulnerable |
| sid, trixie | 2.1+git20240324-1 | vulnerable |
uzbl (PTS) | jessie | 0.0.0~git.20120514-1.1 | vulnerable |
| stretch | 0.0.0~git.20120514-1.2 | vulnerable |
wolfssl (PTS) | bullseye | 4.6.0+p1-0+deb11u2 | fixed |
| bookworm | 5.5.4-2+deb12u1 | fixed |
| sid, trixie | 5.7.2-0.1 | fixed |
The information below is based on the following data on fixed versions.