Bug 40188 - openssl: multiple issues (4.0)
openssl: multiple issues (4.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-4-errata
Assigned To: Arvid Requate
Daniel Tröder
:
Depends on: 40187
Blocks: 40189
  Show dependency treegraph
 
Reported: 2015-12-07 19:34 CET by Arvid Requate
Modified: 2016-03-09 16:41 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-12-07 19:34:26 CET
+++ This bug was initially created as a clone of Bug #40187 +++

Upstream Debian package version 1.0.1e-2+deb7u18 fixes these issues:

* Denial of Service: Certificate verify crash with missing PSS parameter (CVE-2015-3194)

* PKCS#7 and CMS routines: malformed X509_ATTRIBUTE structure OpenSSL will leak memory (CVE-2015-3195)

* Race condition handling PSK identify hint potentially leading to double free in multithreaded clients (CVE-2015-3196)
Comment 1 Arvid Requate univentionstaff 2016-01-11 12:26:18 CET
Upstream Debian package version 1.0.1e-2+deb7u19 fixes all of the above and the following issue:

* SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes (CVE-2015-7575)
Comment 2 Arvid Requate univentionstaff 2016-01-28 19:14:29 CET
A new issue has been identified:

* SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
Comment 3 Arvid Requate univentionstaff 2016-01-28 20:40:27 CET
Update:
 - Not affected by CVE-2015-3197 because SSLv2 is disabled (built with no-ssl2)
Comment 4 Arvid Requate univentionstaff 2016-03-01 15:18:37 CET
The following new issues have been identified
(see https://www.openssl.org/news/secadv/20160301.txt):

* Double-free in DSA code (CVE-2016-0705)
* Memory leak in SRP database lookups (CVE-2016-0798)
* BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
* Memory issues in BIO_*printf functions (CVE-2016-0799)
* Side channel attack on modular exponentiation (CVE-2016-0702)

The OpenSSL version in UCS 4.x is not affected by CVE-2016-0703, CVE-2016-0704 and CVE-2016-0800.
Comment 5 Arvid Requate univentionstaff 2016-03-01 21:31:36 CET
The upstream Debian package version 1.0.1e-2+deb7u20 has been imported and built.

Advisory: openssl.yaml
Comment 6 Daniel Tröder univentionstaff 2016-03-02 16:51:39 CET
OK: advisory
OK: SSLv2 disabled (see test)
OK: manual functional test:

root@dc2000:~# aptitude install '?source-package(^openssl$)~i'
root@dc2000:~# dpkg -l | egrep 'openssl|libssl'
ii  libssl1.0.0:amd64           1.0.1e-2.107.201603011735
ii  openssl                     1.0.1e-2.107.201603011735


root@dc2000:~# openssl s_client -connect $(hostname -f):443 -ssl3
CONNECTED(00000003)

[Same with -tls1 -tls1_1 -tls1_2 -dtls1]

root@dc2000:~# openssl s_client -connect $(hostname -f):443 -ssl2
unknown option -ssl2

root@dc2000:~# openssl s_client -connect mail.univention.de:443 -tls1_2
Certificate chain
 0 s:/CN=mail.univention.de
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
Comment 7 Janek Walkenhorst univentionstaff 2016-03-09 16:41:20 CET
<http://errata.software-univention.de/ucs/4.0/407.html>