41226 – openssl: Multiple issues (ES 3.1)

Bug 41226 - openssl: Multiple issues (ES 3.1)

Summary: openssl: Multiple issues (ES 3.1)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 3.1-ES
Assignee:	Janek Walkenhorst
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-05-09 18:35 CEST by Arvid Requate
Modified:	2016-12-12 16:34 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Customer ID:
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
patches-for-openssl-0.9.8o-4squeeze23.tar.gz (6.48 KB, application/gzip) 2016-05-09 18:35 CEST, Arvid Requate	Details
patches-for-openssl-0.9.8o-4squeeze23.tar.gz (4.12 KB, application/gzip) 2016-05-10 21:38 CEST, Arvid Requate	Details
Advisory (2.10 KB, text/plain) 2016-05-26 15:13 CEST, Janek Walkenhorst	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-05-09 18:35:03 CEST

Created attachment 7646 [details]
patches-for-openssl-0.9.8o-4squeeze23.tar.gz

Upstream Debian package version 0.9.8o-4squeeze23 fixes theese issues:

* PKCS#7 and CMS routines: malformed X509_ATTRIBUTE structure OpenSSL will leak memory (CVE-2015-3195)

* A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2 (CVE-2015-3197)

* Additionally, when using a DHE cipher suite a new DH key will always be
generated for each connection.

Additionally the attached tgz contains backported patches for

* EVP_EncodeUpdate overflow (CVE-2016-2105)
* EVP_EncryptUpdate overflow (CVE-2016-2106)
* Memory corruption in the ASN.1 encoder (CVE-2016-2108)
* ASN.1 BIO excessive memory allocation (CVE-2016-2109)

Comment 1 Arvid Requate

2016-05-10 21:38:09 CEST

Created attachment 7651 [details]
patches-for-openssl-0.9.8o-4squeeze23.tar.gz

Updated patch bundle, the other one was incomplete.

Comment 2 Janek Walkenhorst

2016-05-26 15:13:12 CEST

Created attachment 7692 [details]
Advisory

Comment 3 Janek Walkenhorst

2016-05-26 15:14:45 CEST

Tests (amd64, i386): OK

Comment 4 Arvid Requate

2016-06-08 22:24:46 CEST

Hmm, the versioning is not ideal:

Version:        0.9.8o-4.64.201303050828:       ucs_3.1-0-ucs3.1-1
Version:        0.9.8o-4.121.201605261444:      ucs_3.1-0-extsec3.1
Version:        0.9.8o-4.120.201605171940:      ucs_3.2-0-errata3.2-8
Version:        1.0.1e-2~ucs3.3.111.201603171055:       ucs_3.3-0

As it stands it would skip the update you made for Bug 41225. Probably it doesn't cause issues, but.. what do your think? Should we rebuild the package with a fixed build version increment?

Comment 5 Janek Walkenhorst

2016-06-13 12:21:13 CEST

(In reply to Arvid Requate from comment #4)
> Hmm, the versioning is not ideal:
> 
> Version:        0.9.8o-4.64.201303050828:       ucs_3.1-0-ucs3.1-1
> Version:        0.9.8o-4.121.201605261444:      ucs_3.1-0-extsec3.1
> Version:        0.9.8o-4.120.201605171940:      ucs_3.2-0-errata3.2-8
> Version:        1.0.1e-2~ucs3.3.111.201603171055:       ucs_3.3-0
> 
> As it stands it would skip the update you made for Bug 41225. Probably it
> doesn't cause issues, but.. what do your think? Should we rebuild the
> package with a fixed build version increment?
Rebuilt

Comment 6 Arvid Requate

2016-12-07 20:28:23 CET

Verified:
* patches applied during built
* package update ok
* basic function test ok

The package version number in the advisory needs to be updated but we can also simply do this during package announce.

Comment 7 Janek Walkenhorst

2016-12-12 16:34:51 CET

<http://errata.software-univention.de/ucs/3.1/289.html>