Univention Bugzilla – Bug 45750
openssl: multiple issues (4.2)
Last modified: 2018-05-08 14:56:38 CEST
The following issues have been reported as fixed in 1.0.2m: * Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) * bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) We currently ship 1.0.2k which used to be in jesse-backports. Currently jessie-backports offers 1.0.2l, so cherrypicking patches would be required.
1.0.2n <https://www.openssl.org/news/secadv/20171207.txt> Read/write after SSL object in error state (CVE-2017-3737) rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) r17997 | Bug #45750: openssl Package: openssl Version: 1.0.2n-0A~4.2.0.201801262211 Branch: ucs_4.2-0 Scope: errata4.2-3 e419302f36 Bug #45750: openssl
--- mirror/ftp/4.2/unmaintained/4.2-1/source/openssl_1.0.2k-1~bpo8+1A~4.2.0.201706081143.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/openssl_1.0.2n-0A~4.2.0.201801262211.dsc @@ -1,6 +1,20 @@ -1.0.2k-1~bpo8+1A~4.2.0.201706081143 [Thu, 08 Jun 2017 11:43:01 +0200] Univention builddaemon <buildd@univention.de>: +1.0.2n-0A~4.2.0.201801262211 [Fri, 26 Jan 2018 22:11:49 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +1.0.2n-0 [Fri, 26 Jan 2018 21:37:59 +0100] Philipp Hahn <hahn@univention.de>: + + * New upstream release + - Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) + - bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) + - Read/write after SSL object in error state (CVE-2017-3737) + - rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) + +1.0.2l-1~bpo8+1 [Wed, 21 Jun 2017 21:42:47 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + * New upstream release + - Properly detect features on the AMD Ryzen processor (Closes: #861145) + * Refresh valgrind.patch 1.0.2k-1~bpo8+1 [Fri, 27 Jan 2017 22:22:13 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
* No UCS specific patches since errata4.2-0 * Comparison to previously and next shipped version ok * Binary package update Ok * Advisory adjusted: 8c771c62cf | Adjust wording
Why don't we use the 1.0.2l-2deb9u3 patches from stretch? https://tracker.debian.org/media/packages/o/openssl1.0/changelog-1.0.2l-2deb9u3
(In reply to Arvid Requate from comment #4) > Why don't we use the 1.0.2l-2deb9u3 patches from stretch? > > https://tracker.debian.org/media/packages/o/openssl1.0/changelog-1.0.2l- > 2deb9u3 1. UCS-4.2 is based on Debian-8, so the deb9 package does not work out-of-the-box and requires backporting the patches. OpenSSL has a history of backported patches going wrong. 2. According to <http://xen1.knut.univention.de:8000/packages/source/openssl/?since=4.2-0> we already had version "1.0.2k-1~bpo8+1" from "bpo", so the version from Jessie "1.0.1t-1+deb8u8" is older. There was newer "bpo" version fixing the mentioned CVEs, so I imported 'n' myself. 3. 'n' was the latest version back in January, "o" is current from 2018-03-27, 'p' is pending. So currently we're missing <https://www.openssl.org/news/secadv/20180327.txt>: - Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
<http://errata.software-univention.de/ucs/4.2/387.html>