Univention Bugzilla – Bug 37958
openssl: Denial of service (ES 3.1)
Last modified: 2015-05-04 17:05:58 CEST
NULL pointer dereference in X509 parsing (CVE-2015-0288) NULL pointer derererence in elliptic curves (CVE-2015-0209)
Handshake with unseeded PRNG (CVE-2015-0285)
Created attachment 6772 [details] 3.1-openssl.txt.asc CVE-2015-0285 does not apply to 0.9.8o, introduced later via upstream git commit 173e72e64c6a07ae97660c322396b66215009f33 (Mon Mar 11 15:34:28 2013) The patches from errata3.2-5 (Bug 37959) have been copied to extsec3.1 and the package has been rebuilt in the scope. See attachement for proposed advisory mail.
OK: aptitude install '?source-package(openssl)?installed' # i386 OK: dpkg-query -W openssl # 0.9.8o-4.90.201503181329 OK: openssl x509 -noout -text -in /etc/univention/ssl/ucsCA/CAcert.pem OK: openssl s_client -host www.univention.de -port 443 <<<'GET /' FAIL: 3.1-openssl.txt.asc dere[r -> f]erence OK: r14494 patch
Additional issues: Denial of service during certificate signature algorithm verification in ASN1_TYPE_cmp function (CVE-2015-0286) Memory corruption in ASN.1 parsing. Only affects applications with rarely found strongly discouraged ASN.1 parsing flaw (CVE-2015-0287) Denial of service due to NULL pointer dereference in the PKCS#7 parsing code. Quote: "Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected." (CVE-2015-0289) Memory corruption due to missing input sanitising in base64 decoding. Could be exploited by maliciously crafted base64 data. Quote: "Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). (CVE-2015-0292)
Siehe Bug 37959 comment 5: <https://lists.debian.org/debian-lts-announce/2015/03/msg00014.html> <https://packages.debian.org/search?keywords=openssl&searchon=names&suite=all§ion=all> Also required for Ticket #2015032321000447.
Created attachment 6778 [details] 3.1-openssl.txt.asc The upstream package has been imported ans built in extsec3.1.
OK: apt-cache policy openssl # 0.9.8o-4.97.201503231742 OK: aptitude install '?source-package(openssl)?installed' # i386 OK: zless /usr/share/doc/openssl/changelog.Debian.gz # 0.9.8o-4squeeze20 OK: openssl x509 -noout -text -in /etc/univention/ssl/ucsCA/CAcert.pem OK: openssl s_client -host www.univention.de -port 443 <<<'GET /' OK: univention-certificate check -name "$(hostname -f)" OK: univention-certificate new -name "test.$(dnsdomainname)" -days 3650 OK: echo ZW5jb2RlIG1lCg================================================================== | openssl enc -d -base64 (In reply to Arvid Requate from comment #4) OK: CVE-2015-0286 CVE-2015-0289 CVE-2015-0289 CVE-2015-0292 OK: Attachment 6778 [details]
Released