Univention Bugzilla – Bug 42487
openssl: multiple issues (3.3)
Last modified: 2016-12-14 12:58:49 CET
Not yet fixed in debian, but maybe not as important, see https://www.openssl.org/news/secadv/20160922.txt: Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support. We have version 1.0.1e-2+deb7u20 in 3.3-0-0.
Upstream Debian package version 1.0.1t-1+deb7u1 fixes these issues: * Remote denial of service (integer overflow and application crash) or unspecified other impact (CVE-2016-2177) * Potential timing side-channel attack by local users on DSA private key via dsa_sign_setup function in crypto/dsa/dsa_ossl.c (CVE-2016-2178) * Remote denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously (CVE-2016-2179) * Remote denial of service (out-of-bounds read and application crash) via a crafted timestamp file that is mishandled by the "openssl ts" command (CVE-2016-2180) * Remote denial of service (false-positive packet drops) via spoofed DTLS records (CVE-2016-2181) * Remote denial of service (out-of-bounds write and application crash) or unspecified other impact via BN_bn2dec function (CVE-2016-2182) * Remote denial of service via a ticket that is too short (CVE-2016-6302) * Remote denial of service (out-of-bounds write and application crash) or unspecified other impact via MDC2_Update function (CVE-2016-6303) * Remote denial of service (memory consumption) via large OCSP Status Request extensions (CVE-2016-6304) * Remote denial of service (out-of-bounds read) via crafted certificate operations (CVE-2016-6306)
I.e. Debian wheezy-lts updated to the package version from Debian Jessie.
I've downloaded the 1.0.1t-1+deb7u1 source package and have repackaged it to 1.0.1e-2+deb7u20really1.0.1tdeb7u1. Additionally I had to apply a patch at build time to keep the version number below the one shipped in UCS 4.0. The patch for CVE-2016-2182 included in that package is identical to the regression-fixed version included in the 1.0.1t-1+deb8u5 package (Bug #42961). Advisory: openssl.yaml
FIXED: errata-announce -V --only openssl.yaml # r75233 [FAIL] cve.CVE-2014-3571: Not in description: CVE-2014-3571 OK: 01_ucs3.3_dependency.patch OK: 02_fix_version_below_ucs400.patch OK: Bug #42961 OK: <https://www.openssl.org/news/secadv/20160922.txt> OK: aptitude install '?source-package(openssl)~i' OK: aptitude install '?source-package(openssl)?not(?name(udeb))' OK: zless /usr/share/doc/libssl1.0.0/changelog.Debian.gz # 1.0.1e-2~ucs3.3.132.201611171655 FYI: Also fixed by 1.0.1t-1+deb7u1 but not mentioned here yet: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 OK: openssl s_client -connect localhost:636 # 443 OK: openssl s_client -connect localhost:443 -ssl3 OK: ldapsearch -ZZZ -x -D `ucr get ldap/hostdn` -y /etc/machine.secret dn OK: univention-certificate new -name test -days 1 OK: univention-certificate check -name test OK: univention-certificate dump -name test OK: univention-certificate list OK: openssl x509 -noout -text -in /etc/univention/ssl/ucsCA/CAcert.pem OK: mutt -f imaps://Administrator@$(dnsdomainname)@$(hostname -f)/ OK: w3m https://$(hostname -f)/ucs-overview/ OK: lynx https://$(hostname -f)/ucs-overview/ OK: curl --cacert /etc/univention/ssl/ucsCA/CAcert.pem https://$(hostname -f)/ucs-overview/
<http://errata.software-univention.de/ucs/3.3/26.html>