Univention Bugzilla – Bug 45750
openssl: multiple issues (4.2)
Last modified: 2018-05-08 14:56:38 CEST
The following issues have been reported as fixed in 1.0.2m:
* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
We currently ship 1.0.2k which used to be in jesse-backports. Currently jessie-backports offers 1.0.2l, so cherrypicking patches would be required.
Read/write after SSL object in error state (CVE-2017-3737)
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
r17997 | Bug #45750: openssl
e419302f36 Bug #45750: openssl
@@ -1,6 +1,20 @@
-1.0.2k-1~bpo8+1A~220.127.116.11706081143 [Thu, 08 Jun 2017 11:43:01 +0200] Univention builddaemon <firstname.lastname@example.org>:
+1.0.2n-0A~18.104.22.168801262211 [Fri, 26 Jan 2018 22:11:49 +0100] Univention builddaemon <email@example.com>:
* UCS auto build. No patches were applied to the original source package
+1.0.2n-0 [Fri, 26 Jan 2018 21:37:59 +0100] Philipp Hahn <firstname.lastname@example.org>:
+ * New upstream release
+ - Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
+ - bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
+ - Read/write after SSL object in error state (CVE-2017-3737)
+ - rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
+1.0.2l-1~bpo8+1 [Wed, 21 Jun 2017 21:42:47 +0200] Sebastian Andrzej Siewior <email@example.com>:
+ * New upstream release
+ - Properly detect features on the AMD Ryzen processor (Closes: #861145)
+ * Refresh valgrind.patch
1.0.2k-1~bpo8+1 [Fri, 27 Jan 2017 22:22:13 +0100] Sebastian Andrzej Siewior <firstname.lastname@example.org>:
* No UCS specific patches since errata4.2-0
* Comparison to previously and next shipped version ok
* Binary package update Ok
* Advisory adjusted:
8c771c62cf | Adjust wording
Why don't we use the 1.0.2l-2deb9u3 patches from stretch?
(In reply to Arvid Requate from comment #4)
> Why don't we use the 1.0.2l-2deb9u3 patches from stretch?
1. UCS-4.2 is based on Debian-8, so the deb9 package does not work out-of-the-box and requires backporting the patches. OpenSSL has a history of backported patches going wrong.
2. According to <http://xen1.knut.univention.de:8000/packages/source/openssl/?since=4.2-0> we already had version "1.0.2k-1~bpo8+1" from "bpo", so the version from Jessie "1.0.1t-1+deb8u8" is older. There was newer "bpo" version fixing the mentioned CVEs, so I imported 'n' myself.
3. 'n' was the latest version back in January, "o" is current from 2018-03-27, 'p' is pending.
So currently we're missing <https://www.openssl.org/news/secadv/20180327.txt>:
- Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)