Bug 40188 – openssl: multiple issues (4.0)

Bug 40188 - openssl: multiple issues (4.0)


Summary:	openssl: multiple issues (4.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.0-4-errata
Assigned To:	Arvid Requate
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:	40187
Blocks:	40189
	Show dependency tree / graph

Reported:	2015-12-07 19:34 CET by Arvid Requate
Modified:	2016-03-09 16:41 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2015-12-07 19:34:26 CET

+++ This bug was initially created as a clone of Bug #40187 +++

Upstream Debian package version 1.0.1e-2+deb7u18 fixes these issues:

* Denial of Service: Certificate verify crash with missing PSS parameter (CVE-2015-3194)

* PKCS#7 and CMS routines: malformed X509_ATTRIBUTE structure OpenSSL will leak memory (CVE-2015-3195)

* Race condition handling PSK identify hint potentially leading to double free in multithreaded clients (CVE-2015-3196)

Comment 1 Arvid Requate

2016-01-11 12:26:18 CET

Upstream Debian package version 1.0.1e-2+deb7u19 fixes all of the above and the following issue:

* SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes (CVE-2015-7575)

Comment 2 Arvid Requate

2016-01-28 19:14:29 CET

A new issue has been identified:

* SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

Comment 3 Arvid Requate

2016-01-28 20:40:27 CET

Update:
 - Not affected by CVE-2015-3197 because SSLv2 is disabled (built with no-ssl2)

Comment 4 Arvid Requate

2016-03-01 15:18:37 CET

The following new issues have been identified
(see https://www.openssl.org/news/secadv/20160301.txt):

* Double-free in DSA code (CVE-2016-0705)
* Memory leak in SRP database lookups (CVE-2016-0798)
* BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
* Memory issues in BIO_*printf functions (CVE-2016-0799)
* Side channel attack on modular exponentiation (CVE-2016-0702)

The OpenSSL version in UCS 4.x is not affected by CVE-2016-0703, CVE-2016-0704 and CVE-2016-0800.

Comment 5 Arvid Requate

2016-03-01 21:31:36 CET

The upstream Debian package version 1.0.1e-2+deb7u20 has been imported and built.

Advisory: openssl.yaml

Comment 6 Daniel Tröder

2016-03-02 16:51:39 CET

OK: advisory
OK: SSLv2 disabled (see test)
OK: manual functional test:

root@dc2000:~# aptitude install '?source-package(^openssl$)~i'
root@dc2000:~# dpkg -l | egrep 'openssl|libssl'
ii  libssl1.0.0:amd64           1.0.1e-2.107.201603011735
ii  openssl                     1.0.1e-2.107.201603011735


root@dc2000:~# openssl s_client -connect $(hostname -f):443 -ssl3
CONNECTED(00000003)

[Same with -tls1 -tls1_1 -tls1_2 -dtls1]

root@dc2000:~# openssl s_client -connect $(hostname -f):443 -ssl2
unknown option -ssl2

root@dc2000:~# openssl s_client -connect mail.univention.de:443 -tls1_2
Certificate chain
 0 s:/CN=mail.univention.de
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

Comment 7 Janek Walkenhorst

2016-03-09 16:41:20 CET

<http://errata.software-univention.de/ucs/4.0/407.html>