Univention Bugzilla – Bug 40188
openssl: multiple issues (4.0)
Last modified: 2016-03-09 16:41:20 CET
+++ This bug was initially created as a clone of Bug #40187 +++ Upstream Debian package version 1.0.1e-2+deb7u18 fixes these issues: * Denial of Service: Certificate verify crash with missing PSS parameter (CVE-2015-3194) * PKCS#7 and CMS routines: malformed X509_ATTRIBUTE structure OpenSSL will leak memory (CVE-2015-3195) * Race condition handling PSK identify hint potentially leading to double free in multithreaded clients (CVE-2015-3196)
Upstream Debian package version 1.0.1e-2+deb7u19 fixes all of the above and the following issue: * SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes (CVE-2015-7575)
A new issue has been identified: * SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
Update: - Not affected by CVE-2015-3197 because SSLv2 is disabled (built with no-ssl2)
The following new issues have been identified (see https://www.openssl.org/news/secadv/20160301.txt): * Double-free in DSA code (CVE-2016-0705) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) * Memory issues in BIO_*printf functions (CVE-2016-0799) * Side channel attack on modular exponentiation (CVE-2016-0702) The OpenSSL version in UCS 4.x is not affected by CVE-2016-0703, CVE-2016-0704 and CVE-2016-0800.
The upstream Debian package version 1.0.1e-2+deb7u20 has been imported and built. Advisory: openssl.yaml
OK: advisory OK: SSLv2 disabled (see test) OK: manual functional test: root@dc2000:~# aptitude install '?source-package(^openssl$)~i' root@dc2000:~# dpkg -l | egrep 'openssl|libssl' ii libssl1.0.0:amd64 1.0.1e-2.107.201603011735 ii openssl 1.0.1e-2.107.201603011735 root@dc2000:~# openssl s_client -connect $(hostname -f):443 -ssl3 CONNECTED(00000003) [Same with -tls1 -tls1_1 -tls1_2 -dtls1] root@dc2000:~# openssl s_client -connect $(hostname -f):443 -ssl2 unknown option -ssl2 root@dc2000:~# openssl s_client -connect mail.univention.de:443 -tls1_2 Certificate chain 0 s:/CN=mail.univention.de i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
<http://errata.software-univention.de/ucs/4.0/407.html>