From: | Kristian Fiskerstrand <k_f@g.o> |
---|---|
To: | gentoo-announce@l.g.o |
Subject: | [gentoo-announce] [ GLSA 201503-11 ] OpenSSL: Multiple vulnerabilities |
Date: | Thu, 19 Mar 2015 17:31:52 |
Message-Id: | 550B0710.3090404@gentoo.org |
1 | -----BEGIN PGP SIGNED MESSAGE----- |
2 | Hash: SHA512 |
3 | |
4 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 | Gentoo Linux Security Advisory GLSA 201503-11 |
6 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 | https://security.gentoo.org/ |
8 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 | |
10 | Severity: Normal |
11 | Title: OpenSSL: Multiple vulnerabilities |
12 | Date: March 19, 2015 |
13 | Bugs: #543552 |
14 | ID: 201503-11 |
15 | |
16 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
17 | |
18 | Synopsis |
19 | ======== |
20 | |
21 | Multiple vulnerabilities have been found in OpenSSL that can result in |
22 | either Denial of Service or information disclosure. |
23 | |
24 | Background |
25 | ========== |
26 | |
27 | OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer |
28 | (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general |
29 | purpose cryptography library. |
30 | |
31 | Affected packages |
32 | ================= |
33 | |
34 | ------------------------------------------------------------------- |
35 | Package / Vulnerable / Unaffected |
36 | ------------------------------------------------------------------- |
37 | 1 dev-libs/openssl < 1.0.1l-r1 *>= 0.9.8z_p5-r1 |
38 | >= 1.0.1l-r1 |
39 | |
40 | Description |
41 | =========== |
42 | |
43 | Multiple vulnerabilities have been found in OpenSSL. Please review the |
44 | CVE identifiers and the upstream advisory referenced below for details: |
45 | |
46 | * RSA silently downgrades to EXPORT_RSA [Client] (Reclassified) |
47 | (CVE-2015-0204) |
48 | * Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) |
49 | * ASN.1 structure reuse memory corruption (CVE-2015-0287) |
50 | * X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) |
51 | * PKCS7 NULL pointer dereferences (CVE-2015-0289) |
52 | * Base64 decode (CVE-2015-0292) |
53 | * DoS via reachable assert in SSLv2 servers (CVE-2015-0293) |
54 | * Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) |
55 | |
56 | The following issues affect OpenSSL 1.0.2 only which is not part of the |
57 | supported Gentoo stable tree: |
58 | |
59 | * OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) |
60 | * Multiblock corrupted pointer (CVE-2015-0290) |
61 | * Segmentation fault in DTLSv1_listen (CVE-2015-0207) |
62 | * Segmentation fault for invalid PSS parameters (CVE-2015-0208) |
63 | * Empty CKE with client auth and DHE (CVE-2015-1787) |
64 | * Handshake with unseeded PRNG (CVE-2015-0285) |
65 | |
66 | Impact |
67 | ====== |
68 | |
69 | A remote attacker can utilize multiple vectors to cause Denial of |
70 | Service or Information Disclosure. |
71 | |
72 | Workaround |
73 | ========== |
74 | |
75 | There is no known workaround at this time. |
76 | |
77 | Resolution |
78 | ========== |
79 | |
80 | All OpenSSL 1.0.1 users should upgrade to the latest version: |
81 | |
82 | # emerge --sync |
83 | # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1l-r1" |
84 | |
85 | All OpenSSL 0.9.8 users should upgrade to the latest version: |
86 | |
87 | # emerge --sync |
88 | # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8z_p5-r1" |
89 | |
90 | Packages which depend on the OpenSSL library need to be restarted for |
91 | the upgrade to take effect. Some packages may need to be recompiled. |
92 | Tools such as revdep-rebuild may assist in identifying some of these |
93 | packages. |
94 | |
95 | References |
96 | ========== |
97 | |
98 | [ 1 ] CVE-2015-0204 |
99 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0204 |
100 | [ 2 ] CVE-2015-0207 |
101 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0207 |
102 | [ 3 ] CVE-2015-0208 |
103 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0208 |
104 | [ 4 ] CVE-2015-0209 |
105 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0209 |
106 | [ 5 ] CVE-2015-0285 |
107 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0285 |
108 | [ 6 ] CVE-2015-0287 |
109 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0287 |
110 | [ 7 ] CVE-2015-0288 |
111 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0288 |
112 | [ 8 ] CVE-2015-0289 |
113 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0289 |
114 | [ 9 ] CVE-2015-0290 |
115 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0290 |
116 | [ 10 ] CVE-2015-0291 |
117 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0291 |
118 | [ 11 ] CVE-2015-0292 |
119 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0292 |
120 | [ 12 ] CVE-2015-0293 |
121 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0293 |
122 | [ 13 ] CVE-2015-1787 |
123 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1787 |
124 | [ 14 ] OpenSSL Security Advisory [19 Mar 2015] |
125 | http://openssl.org/news/secadv_20150319.txt |
126 | |
127 | Availability |
128 | ============ |
129 | |
130 | This GLSA and any updates to it are available for viewing at |
131 | the Gentoo Security Website: |
132 | |
133 | https://security.gentoo.org/glsa/201503-11 |
134 | |
135 | Concerns? |
136 | ========= |
137 | |
138 | Security is a primary focus of Gentoo Linux and ensuring the |
139 | confidentiality and security of our users' machines is of utmost |
140 | importance to us. Any security concerns should be addressed to |
141 | security@g.o or alternatively, you may file a bug at |
142 | https://bugs.gentoo.org. |
143 | |
144 | License |
145 | ======= |
146 | |
147 | Copyright 2015 Gentoo Foundation, Inc; referenced text |
148 | belongs to its owner(s). |
149 | |
150 | The contents of this document are licensed under the |
151 | Creative Commons - Attribution / Share Alike license. |
152 | |
153 | http://creativecommons.org/licenses/by-sa/2.5 |
154 | |
155 | -----BEGIN PGP SIGNATURE----- |
156 | |
157 | iQEcBAEBCgAGBQJVCwcJAAoJEP7VAChXwav6oroH/jqtOK79q1ZHZkWSBBGA04/m |
158 | 7J9gqjPFz9Vxm1eMy23Wgo809CQ5pWssh2h5cWIhVABF4gkOCrUUgL6SA4SQ35v6 |
159 | tfUyG5vpxeXIpawV4sbyzd0cUpz6np+9gdfPUo9UvYyHYP5kISq1UsEiGKtZiaJh |
160 | +U+NYCccpFNa14U8v3wBsHG3vkytad9Cq60gd3V8fU/l4EfEfsXotFiQTa6XOq/C |
161 | vH2jRRis2z8Pdl9tyJBK6ITHIH0zj2ZKDvVtIYl5VSNCpx1kAt0iScYJ0ttUK6q4 |
162 | P5+35clHbcMGFm7SRzte1ojaZcsd+ZSazCMLi2wL1h6plPIE3U+ci9YbZtpOHEI= |
163 | =KEIF |
164 | -----END PGP SIGNATURE----- |