1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3197-2] openssl regression update

    From Salvatore Bonaccorso@1:229/2 to All on Tue Mar 24 22:40:02 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3197-2 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso
    March 24, 2015 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : openssl
    CVE ID : CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288
    CVE-2015-0289 CVE-2015-0292
    Debian Bug : 781081

    The openssl update issued as DSA 3197-1 caused regressions. This update
    reverts the defective patch applied in that update causing these
    problems. Additionally a follow-up fix for CVE-2015-0209 is applied.
    For reference the original advisory text follows.

    Multiple vulnerabilities have been discovered in OpenSSL, a Secure
    Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

    CVE-2015-0286

    Stephen Henson discovered that the ASN1_TYPE_cmp() function
    can be crashed, resulting in denial of service.

    CVE-2015-0287

    Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

    CVE-2015-0289

    Michal Zalewski discovered a NULL pointer dereference in the
    PKCS#7 parsing code, resulting in denial of service.

    CVE-2015-0292

    It was discovered that missing input sanitising in base64 decoding
    might result in memory corruption.

    CVE-2015-0209

    It was discovered that a malformed EC private key might result in
    memory corruption.

    CVE-2015-0288

    It was discovered that missing input sanitising in the
    X509_to_X509_REQ() function might result in denial of service.

    For the stable distribution (wheezy), these problems have been fixed in
    version 1.0.1e-2+deb7u16.

    We recommend that you upgrade your openssl packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJVEdXzAAoJEAVMuPMTQ89E2dcP/R2oP1KlVfpYq8Ep8BxoAa5h wGQE9J86uxtThX6mdL/CmLtTN69b3bHbcZ/grfXQqvEGSyY/zbSXyb9k54pfGc+o K+U2nIENN81yWaGhxOafIXB6ODOZ+eLAjBCLcAxsDL7d0epuyp3hcLiSq7JdeTr+ /cz12vFbVGcbqrPt4TB6j9GVdSuHKnDrs5tc7t9L+i5yJ/uYhXwL6cO+ChBM8b/2 gJiK7NOwfUhsoOvHO9yyXl6ptQ86rbymYIS9kIQ3K05YZIon1DTAc0wNjD1qr0vn u2BDsauNuBwc5IH+52iWCA/yr4QW+9unPtwOZhxurTmO+R0EQopSH01Ay8GcHytv oo8BmEUpLn8t68/fUGzbh1ynjpkUJrceHL8RmytCbJDDEtrV6KHCoHGbrWcda21n oVYU3axZhuj11No6iK0RYMvcqfOX+g40IYat7P0Rhp2P4VauGc6lZBje2q3fLQwJ SB2IkmClFaDuLZXd7BMdXHa8zIwhLjW7hGYcKaLGCulLiQFOaZD/AKEOPUaHb+9I W8Kvr+7wEwr9Bl1Tnn0N0SmRkrpBjbXqbhYElAfEWjIcMiZ4lsGIQ+iqkyx5R1HT uVGwD5CY7dSjb6vStSgm5IO0/+h6UEa02uFm61Zv41WtER7aXtOwSWxPKre4gRV+ 3LPBue6eb2uGngYInaUQ
    =8XMK
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)