[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ MDVSA-2015:062 ] openssl



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:062
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : openssl
 Date    : March 27, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in openssl:
 
 Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
 through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows
 remote attackers to inject data across sessions or cause a denial of
 service (use-after-free and parsing error) via an SSL connection in
 a multithreaded environment (CVE-2010-5298).
 
 The Montgomery ladder implementation in OpenSSL through 1.0.0l does
 not ensure that certain swap operations have a constant-time behavior,
 which makes it easier for local users to obtain ECDSA nonces via a
 FLUSH+RELOAD cache side-channel attack (CVE-2014-0076).
 
 The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before
 1.0.1g do not properly handle Heartbeat Extension packets, which allows
 remote attackers to obtain sensitive information from process memory
 via crafted packets that trigger a buffer over-read, as demonstrated
 by reading private keys, related to d1_both.c and t1_lib.c, aka the
 Heartbleed bug (CVE-2014-0160).
 
 The dtls1_reassemble_fragment function in d1_both.c in OpenSSL
 before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does
 not properly validate fragment lengths in DTLS ClientHello messages,
 which allows remote attackers to execute arbitrary code or cause a
 denial of service (buffer overflow and application crash) via a long
 non-initial fragment (CVE-2014-0195).
 
 The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g,
 when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a
 buffer pointer during certain recursive calls, which allows remote
 attackers to cause a denial of service (NULL pointer dereference
 and application crash) via vectors that trigger an alert condition
 (CVE-2014-0198).
 
 The dtls1_get_message_fragment function in d1_both.c in OpenSSL before
 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote
 attackers to cause a denial of service (recursion and client crash)
 via a DTLS hello message in an invalid DTLS handshake (CVE-2014-0221).
 
 OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
 1.0.1h does not properly restrict processing of ChangeCipherSpec
 messages, which allows man-in-the-middle attackers to trigger use of a
 zero-length master key in certain OpenSSL-to-OpenSSL communications,
 and consequently hijack sessions or obtain sensitive information,
 via a crafted TLS handshake, aka the CCS Injection vulnerability
 (CVE-2014-0224).
 
 The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL
 before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when
 an anonymous ECDH cipher suite is used, allows remote attackers to
 cause a denial of service (NULL pointer dereference and client crash)
 by triggering a NULL certificate value (CVE-2014-3470).
 
 Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1
 before 1.0.1j allows remote attackers to cause a denial of service
 (memory consumption) via a crafted handshake message (CVE-2014-3513).
 
 The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
 products, uses nondeterministic CBC padding, which makes it easier
 for man-in-the-middle attackers to obtain cleartext data via a
 padding-oracle attack, aka the POODLE issue (CVE-2014-3566).
 
 Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL
 before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows
 remote attackers to cause a denial of service (memory consumption)
 via a crafted session ticket that triggers an integrity-check failure
 (CVE-2014-3567).
 
 The ssl23_get_client_hello function in s23_srvr.c in OpenSSL
 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to
 use unsupported protocols, which allows remote attackers to cause a
 denial of service (NULL pointer dereference and daemon crash) via
 an unexpected handshake, as demonstrated by an SSLv3 handshake to
 a no-ssl3 application with certain error handling. NOTE: this issue
 became relevant after the CVE-2014-3568 fix (CVE-2014-3569).
 
 The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before
 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square
 of a BIGNUM value, which might make it easier for remote attackers to
 defeat cryptographic protection mechanisms via unspecified vectors,
 related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and
 crypto/bn/bn_asm.c (CVE-2014-3570).
 
 OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
 allows remote attackers to cause a denial of service (NULL pointer
 dereference and application crash) via a crafted DTLS message that
 is processed with a different read operation for the handshake header
 than for the handshake body, related to the dtls1_get_record function
 in d1_pkt.c and the ssl3_read_n function in s3_pkt.c (CVE-2014-3571).
 
 The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote
 SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger
 a loss of forward secrecy by omitting the ServerKeyExchange message
 (CVE-2014-3572).
 
 OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
 does not enforce certain constraints on certificate data, which allows
 remote attackers to defeat a fingerprint-based certificate-blacklist
 protection mechanism by including crafted data within a
 certificate's unsigned portion, related to crypto/asn1/a_verify.c,
 crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c
 (CVE-2014-8275).
 
 The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL
 servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate
 brute-force decryption by offering a weak ephemeral RSA key in a
 noncompliant role, related to the FREAK issue. NOTE: the scope of
 this CVE is only client code based on OpenSSL, not EXPORT_RSA issues
 associated with servers or other TLS implementations (CVE-2015-0204).
 
 The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before
 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a
 Diffie-Hellman (DH) certificate without requiring a CertificateVerify
 message, which allows remote attackers to obtain access without
 knowledge of a private key via crafted TLS Handshake Protocol traffic
 to a server that recognizes a Certification Authority with DH support
 (CVE-2015-0205).
 
 Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL
 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers
 to cause a denial of service (memory consumption) by sending many
 duplicate records for the next epoch, leading to failure of replay
 detection (CVE-2015-0206).
 
 Use-after-free vulnerability in the d2i_ECPrivateKey function in
 crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,
 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote
 attackers to cause a denial of service (memory corruption and
 application crash) or possibly have unspecified other impact via a
 malformed Elliptic Curve (EC) private-key file that is improperly
 handled during import (CVE-2015-0209).
 
 The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before
 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
 1.0.2a does not properly perform boolean-type comparisons, which allows
 remote attackers to cause a denial of service (invalid read operation
 and application crash) via a crafted X.509 certificate to an endpoint
 that uses the certificate-verification feature (CVE-2015-0286).
 
 The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL
 before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2
 before 1.0.2a does not reinitialize CHOICE and ADB data structures,
 which might allow attackers to cause a denial of service (invalid
 write operation and memory corruption) by leveraging an application
 that relies on ASN.1 structure reuse (CVE-2015-0287).
 
 The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL
 before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2
 before 1.0.2a might allow attackers to cause a denial of service
 (NULL pointer dereference and application crash) via an invalid
 certificate key (CVE-2015-0288).
 
 The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not
 properly handle a lack of outer ContentInfo, which allows attackers to
 cause a denial of service (NULL pointer dereference and application
 crash) by leveraging an application that processes arbitrary PKCS#7
 data and providing malformed data with ASN.1 encoding, related to
 crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (CVE-2015-0289).
 
 The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote
 attackers to cause a denial of service (s2_lib.c assertion failure and
 daemon exit) via a crafted CLIENT-MASTER-KEY message (CVE-2015-0293).
 
 The updated packages have been upgraded to the 1.0.1m version where
 these security flaws has been fixed.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293
 http://openssl.org/news/secadv_20150108.txt
 http://openssl.org/news/secadv_20150319.txt
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 2/X86_64:
 324a85f7e1165ab02881e44dbddaf599  mbs2/x86_64/lib64openssl1.0.0-1.0.1m-1.mbs2.x86_64.rpm
 9c0bfb6ebd43cb6d81872abf71b4f85f  mbs2/x86_64/lib64openssl-devel-1.0.1m-1.mbs2.x86_64.rpm
 58df54e72ca7270210c7d8dd23df402b  mbs2/x86_64/lib64openssl-engines1.0.0-1.0.1m-1.mbs2.x86_64.rpm
 b5313ffb5baaa65aea05eb05486d309a  mbs2/x86_64/lib64openssl-static-devel-1.0.1m-1.mbs2.x86_64.rpm
 a9890ce4c33630cb9e00f3b2910dd784  mbs2/x86_64/openssl-1.0.1m-1.mbs2.x86_64.rpm 
 521297a5fe26e2de0c1222d8d03382d1  mbs2/SRPMS/openssl-1.0.1m-1.mbs2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFTm1mqjQ0CJFipgRAoYFAKCaubn00colzVNnUBFjSElyDptGMQCfaGoS
kz0ex6eI6hA6qSwklA2NoXY=
=GYjX
-----END PGP SIGNATURE-----