[gentoo-announce] [ GLSA 201503-11 ] OpenSSL: Multiple vulnerabilities

Fabricante: Gentoo
Fecha: 19/03/2015
Identificador: GLSA 201503-11
[gentoo-announce] [ GLSA 201503-11 ] OpenSSL: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201503-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Multiple vulnerabilities Date: March 19, 2015 Bugs: #543552 ID: 201503-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure. Background ========== OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 1.0.1l-r1 *>= 0.9.8z_p5-r1 >= 1.0.1l-r1 Description =========== Multiple vulnerabilities have been found in OpenSSL. Please review the CVE identifiers and the upstream advisory referenced below for details: * RSA silently downgrades to EXPORT_RSA [Client] (Reclassified) (CVE-2015-0204) * Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) * ASN.1 structure reuse memory corruption (CVE-2015-0287) * X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) * PKCS7 NULL pointer dereferences (CVE-2015-0289) * Base64 decode (CVE-2015-0292) * DoS via reachable assert in SSLv2 servers (CVE-2015-0293) * Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) The following issues affect OpenSSL 1.0.2 only which is not part of the supported Gentoo stable tree: * OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) * Multiblock corrupted pointer (CVE-2015-0290) * Segmentation fault in DTLSv1_listen (CVE-2015-0207) * Segmentation fault for invalid PSS parameters (CVE-2015-0208) * Empty CKE with client auth and DHE (CVE-2015-1787) * Handshake with unseeded PRNG (CVE-2015-0285) Impact ====== A remote attacker can utilize multiple vectors to cause Denial of Service or Information Disclosure. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSL 1.0.1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1l-r1" All OpenSSL 0.9.8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8z_p5-r1" Packages which depend on the OpenSSL library need to be restarted for the upgrade to take effect. Some packages may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages. References ========== [ 1 ] CVE-2015-0204 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0204 [ 2 ] CVE-2015-0207 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0207 [ 3 ] CVE-2015-0208 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0208 [ 4 ] CVE-2015-0209 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0209 [ 5 ] CVE-2015-0285 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0285 [ 6 ] CVE-2015-0287 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0287 [ 7 ] CVE-2015-0288 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0288 [ 8 ] CVE-2015-0289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0289 [ 9 ] CVE-2015-0290 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0290 [ 10 ] CVE-2015-0291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0291 [ 11 ] CVE-2015-0292 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0292 [ 12 ] CVE-2015-0293 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0293 [ 13 ] CVE-2015-1787 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1787 [ 14 ] OpenSSL Security Advisory [19 Mar 2015] http://openssl.org/news/secadv_20150319.txt Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201503-11 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJVCwcJAAoJEP7VAChXwav6oroH/jqtOK79q1ZHZkWSBBGA04/m 7J9gqjPFz9Vxm1eMy23Wgo809CQ5pWssh2h5cWIhVABF4gkOCrUUgL6SA4SQ35v6 tfUyG5vpxeXIpawV4sbyzd0cUpz6np+9gdfPUo9UvYyHYP5kISq1UsEiGKtZiaJh +U+NYCccpFNa14U8v3wBsHG3vkytad9Cq60gd3V8fU/l4EfEfsXotFiQTa6XOq/C vH2jRRis2z8Pdl9tyJBK6ITHIH0zj2ZKDvVtIYl5VSNCpx1kAt0iScYJ0ttUK6q4 P5+35clHbcMGFm7SRzte1ojaZcsd+ZSazCMLi2wL1h6plPIE3U+ci9YbZtpOHEI= =KEIF -----END PGP SIGNATURE-----