Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201503-11 ] OpenSSL: Multiple vulnerabilities
Date: Thu, 19 Mar 2015 17:31:52
Message-Id: 550B0710.3090404@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA512
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 201503-11
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 https://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: OpenSSL: Multiple vulnerabilities
12 Date: March 19, 2015
13 Bugs: #543552
14 ID: 201503-11
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Multiple vulnerabilities have been found in OpenSSL that can result in
22 either Denial of Service or information disclosure.
23
24 Background
25 ==========
26
27 OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
28 (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
29 purpose cryptography library.
30
31 Affected packages
32 =================
33
34 -------------------------------------------------------------------
35 Package / Vulnerable / Unaffected
36 -------------------------------------------------------------------
37 1 dev-libs/openssl < 1.0.1l-r1 *>= 0.9.8z_p5-r1
38 >= 1.0.1l-r1
39
40 Description
41 ===========
42
43 Multiple vulnerabilities have been found in OpenSSL. Please review the
44 CVE identifiers and the upstream advisory referenced below for details:
45
46 * RSA silently downgrades to EXPORT_RSA [Client] (Reclassified)
47 (CVE-2015-0204)
48 * Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
49 * ASN.1 structure reuse memory corruption (CVE-2015-0287)
50 * X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
51 * PKCS7 NULL pointer dereferences (CVE-2015-0289)
52 * Base64 decode (CVE-2015-0292)
53 * DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
54 * Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
55
56 The following issues affect OpenSSL 1.0.2 only which is not part of the
57 supported Gentoo stable tree:
58
59 * OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
60 * Multiblock corrupted pointer (CVE-2015-0290)
61 * Segmentation fault in DTLSv1_listen (CVE-2015-0207)
62 * Segmentation fault for invalid PSS parameters (CVE-2015-0208)
63 * Empty CKE with client auth and DHE (CVE-2015-1787)
64 * Handshake with unseeded PRNG (CVE-2015-0285)
65
66 Impact
67 ======
68
69 A remote attacker can utilize multiple vectors to cause Denial of
70 Service or Information Disclosure.
71
72 Workaround
73 ==========
74
75 There is no known workaround at this time.
76
77 Resolution
78 ==========
79
80 All OpenSSL 1.0.1 users should upgrade to the latest version:
81
82 # emerge --sync
83 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1l-r1"
84
85 All OpenSSL 0.9.8 users should upgrade to the latest version:
86
87 # emerge --sync
88 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8z_p5-r1"
89
90 Packages which depend on the OpenSSL library need to be restarted for
91 the upgrade to take effect. Some packages may need to be recompiled.
92 Tools such as revdep-rebuild may assist in identifying some of these
93 packages.
94
95 References
96 ==========
97
98 [ 1 ] CVE-2015-0204
99 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0204
100 [ 2 ] CVE-2015-0207
101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0207
102 [ 3 ] CVE-2015-0208
103 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0208
104 [ 4 ] CVE-2015-0209
105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0209
106 [ 5 ] CVE-2015-0285
107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0285
108 [ 6 ] CVE-2015-0287
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0287
110 [ 7 ] CVE-2015-0288
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0288
112 [ 8 ] CVE-2015-0289
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0289
114 [ 9 ] CVE-2015-0290
115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0290
116 [ 10 ] CVE-2015-0291
117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0291
118 [ 11 ] CVE-2015-0292
119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0292
120 [ 12 ] CVE-2015-0293
121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0293
122 [ 13 ] CVE-2015-1787
123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1787
124 [ 14 ] OpenSSL Security Advisory [19 Mar 2015]
125 http://openssl.org/news/secadv_20150319.txt
126
127 Availability
128 ============
129
130 This GLSA and any updates to it are available for viewing at
131 the Gentoo Security Website:
132
133 https://security.gentoo.org/glsa/201503-11
134
135 Concerns?
136 =========
137
138 Security is a primary focus of Gentoo Linux and ensuring the
139 confidentiality and security of our users' machines is of utmost
140 importance to us. Any security concerns should be addressed to
141 security@g.o or alternatively, you may file a bug at
142 https://bugs.gentoo.org.
143
144 License
145 =======
146
147 Copyright 2015 Gentoo Foundation, Inc; referenced text
148 belongs to its owner(s).
149
150 The contents of this document are licensed under the
151 Creative Commons - Attribution / Share Alike license.
152
153 http://creativecommons.org/licenses/by-sa/2.5
154
155 -----BEGIN PGP SIGNATURE-----
156
157 iQEcBAEBCgAGBQJVCwcJAAoJEP7VAChXwav6oroH/jqtOK79q1ZHZkWSBBGA04/m
158 7J9gqjPFz9Vxm1eMy23Wgo809CQ5pWssh2h5cWIhVABF4gkOCrUUgL6SA4SQ35v6
159 tfUyG5vpxeXIpawV4sbyzd0cUpz6np+9gdfPUo9UvYyHYP5kISq1UsEiGKtZiaJh
160 +U+NYCccpFNa14U8v3wBsHG3vkytad9Cq60gd3V8fU/l4EfEfsXotFiQTa6XOq/C
161 vH2jRRis2z8Pdl9tyJBK6ITHIH0zj2ZKDvVtIYl5VSNCpx1kAt0iScYJ0ttUK6q4
162 P5+35clHbcMGFm7SRzte1ojaZcsd+ZSazCMLi2wL1h6plPIE3U+ci9YbZtpOHEI=
163 =KEIF
164 -----END PGP SIGNATURE-----
Report Message
Find on MARC Find on Google Groups