[gentoo-announce] [ GLSA 201603-15 ] OpenSSL: Multiple vulnerabilities - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201603-15 ] OpenSSL: Multiple vulnerabilities
Date:	Sun, 20 Mar 2016 16:14:10
Message-Id:	`56EEAA05.4030906@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201603-15

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: OpenSSL: Multiple vulnerabilities

9

     Date: March 20, 2016

10

     Bugs: #575548

11

       ID: 201603-15

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in OpenSSL, the worst allowing

19

remote attackers to decrypt TLS sessions.

20

21

Background

22

==========

23

24

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer

25

(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general

26

purpose cryptography library.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-libs/openssl           < 1.0.2g-r2              >= 1.0.2g-r2

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in OpenSSL, the worst

40

being a cross-protocol attack called DROWN that could lead to the

41

decryption of TLS sessions. Please review the CVE identifiers

42

referenced below for details.

43

44

Impact

45

======

46

47

A remote attacker could decrypt TLS sessions by using a server

48

supporting SSLv2 and EXPORT cipher suites as a

49

Bleichenbacher RSA padding oracle, cause a Denial of Service condition,

50

obtain sensitive information from memory and (in rare circumstances)

51

recover RSA keys.

52

53

Workaround

54

==========

55

56

A workaround for DROWN is disabling the SSLv2 protocol on all SSL/TLS

57

servers.

58

59

Resolution

60

==========

61

62

All OpenSSL users should upgrade to the latest version:

63

64

  # emerge --sync

65

  # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2g-r2"

66

67

Please note that beginning with OpenSSL 1.0.2, in order to mitigate the

68

DROWN attack, the OpenSSL project disables SSLv2 by default at

69

build-time. As this change would cause severe issues with some Gentoo

70

packages that depend on OpenSSL, Gentoo still ships OpenSSL with SSLv2

71

enabled at build-time. Note that this does not mean that you are still

72

vulnerable to DROWN because the OpenSSL project has taken further

73

precautions and applications would need to explicitly request SSLv2. We

74

are working on a migration path to phase out SSLv2 that ensures that no

75

user-facing issues occur. Please reference bug 576128 for further

76

details on how this decision was made.

77

78

References

79

==========

80

81

[ 1 ] CVE-2016-0702

82

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0702

83

[ 2 ] CVE-2016-0703

84

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0703

85

[ 3 ] CVE-2016-0704

86

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0704

87

[ 4 ] CVE-2016-0705

88

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0705

89

[ 5 ] CVE-2016-0797

90

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0797

91

[ 6 ] CVE-2016-0798

92

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0798

93

[ 7 ] CVE-2016-0799

94

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0799

95

[ 8 ] CVE-2016-0800

96

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0800

97

98

Availability

99

============

100

101

This GLSA and any updates to it are available for viewing at

102

the Gentoo Security Website:

103

104

 https://security.gentoo.org/glsa/201603-15

105

106

Concerns?

107

=========

108

109

Security is a primary focus of Gentoo Linux and ensuring the

110

confidentiality and security of our users' machines is of utmost

111

importance to us. Any security concerns should be addressed to

112

security@g.o or alternatively, you may file a bug at

113

https://bugs.gentoo.org.

114

115

License

116

=======

117

118

Copyright 2016 Gentoo Foundation, Inc; referenced text

119

belongs to its owner(s).

120

121

The contents of this document are licensed under the

122

Creative Commons - Attribution / Share Alike license.

123

124

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201603-15
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: OpenSSL: Multiple vulnerabilities
9	Date: March 20, 2016
10	Bugs: #575548
11	ID: 201603-15
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in OpenSSL, the worst allowing
19	remote attackers to decrypt TLS sessions.
20
21	Background
22	==========
23
24	OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
25	(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
26	purpose cryptography library.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-libs/openssl < 1.0.2g-r2 >= 1.0.2g-r2
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in OpenSSL, the worst
40	being a cross-protocol attack called DROWN that could lead to the
41	decryption of TLS sessions. Please review the CVE identifiers
42	referenced below for details.
43
44	Impact
45	======
46
47	A remote attacker could decrypt TLS sessions by using a server
48	supporting SSLv2 and EXPORT cipher suites as a
49	Bleichenbacher RSA padding oracle, cause a Denial of Service condition,
50	obtain sensitive information from memory and (in rare circumstances)
51	recover RSA keys.
52
53	Workaround
54	==========
55
56	A workaround for DROWN is disabling the SSLv2 protocol on all SSL/TLS
57	servers.
58
59	Resolution
60	==========
61
62	All OpenSSL users should upgrade to the latest version:
63
64	# emerge --sync
65	# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2g-r2"
66
67	Please note that beginning with OpenSSL 1.0.2, in order to mitigate the
68	DROWN attack, the OpenSSL project disables SSLv2 by default at
69	build-time. As this change would cause severe issues with some Gentoo
70	packages that depend on OpenSSL, Gentoo still ships OpenSSL with SSLv2
71	enabled at build-time. Note that this does not mean that you are still
72	vulnerable to DROWN because the OpenSSL project has taken further
73	precautions and applications would need to explicitly request SSLv2. We
74	are working on a migration path to phase out SSLv2 that ensures that no
75	user-facing issues occur. Please reference bug 576128 for further
76	details on how this decision was made.
77
78	References
79	==========
80
81	[ 1 ] CVE-2016-0702
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0702
83	[ 2 ] CVE-2016-0703
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0703
85	[ 3 ] CVE-2016-0704
86	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0704
87	[ 4 ] CVE-2016-0705
88	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0705
89	[ 5 ] CVE-2016-0797
90	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0797
91	[ 6 ] CVE-2016-0798
92	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0798
93	[ 7 ] CVE-2016-0799
94	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0799
95	[ 8 ] CVE-2016-0800
96	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0800
97
98	Availability
99	============
100
101	This GLSA and any updates to it are available for viewing at
102	the Gentoo Security Website:
103
104	https://security.gentoo.org/glsa/201603-15
105
106	Concerns?
107	=========
108
109	Security is a primary focus of Gentoo Linux and ensuring the
110	confidentiality and security of our users' machines is of utmost
111	importance to us. Any security concerns should be addressed to
112	security@g.o or alternatively, you may file a bug at
113	https://bugs.gentoo.org.
114
115	License
116	=======
117
118	Copyright 2016 Gentoo Foundation, Inc; referenced text
119	belongs to its owner(s).
120
121	The contents of this document are licensed under the
122	Creative Commons - Attribution / Share Alike license.
123
124	http://creativecommons.org/licenses/by-sa/2.5