Univention Bugzilla – Bug 46137
libcrypto++: Multiple issues (4.2)
Last modified: 2018-05-08 14:56:45 CEST
libcrypto++ (5.6.1-6+deb8u3) jessie-security; urgency=high * CVE-2016-9939 Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its ASN.1 BER decoding routine. The library will allocate a memory block based on the length field of the ASN.1 object. If there is not enough content octets in the ASN.1 object, then the function will fail and the memory block will be zeroed even if its unused. There is a noticeable delay during the wipe for a large allocation. libcrypto++ (5.6.1-6+deb8u2) jessie; urgency=medium * CVE-2016-3995 The timing attack protection in Rijndael::Enc::ProcessAndXorBlock and Rijndael::Dec::ProcessAndXorBlock in Crypto++ (aka cryptopp) before 5.6.4 may be optimized out by the compiler, which allows attackers to conduct timing attacks. libcrypto++ (5.6.1-6+deb8u1) jessie-security; urgency=high * Fix CVE-2015-2141, misuse of blinding technique that is aimed at preventing timing attacks.
Mass-import from Debian-Security: python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553 YAML: git:bd6159834a..449aa5a7cf
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libcrypto++_5.6.1-6.A~4.2.0.201608311446.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libcrypto++_5.6.1-6.A~4.2.3.201801211553.dsc @@ -1,6 +1,10 @@ -5.6.1-6.A~4.2.0.201608311446 [Wed, 31 Aug 2016 17:16:39 +0200] Univention builddaemon <buildd@univention.de>: +5.6.1-6.A~4.2.3.201801211553 [Wed, 24 Jan 2018 13:10:04 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +5.6.1-6+deb8u3 [Sat, 24 Dec 2016 08:31:34 +0000] Laszlo Boszormenyi (GCS) <gcs@debian.org>: + + * Fix CVE-2016-9939: possible DoS in ASN.1 decoders (closes: #848009). 5.6.1-6+deb8u2 [Mon, 11 Apr 2016 16:13:56 +0000] Laszlo Boszormenyi (GCS) <gcs@debian.org>:
* No UCS specific patches * Comparison to previously shipped version ok * Installation Ok * Advisory adjusted: 21737617ac | Sort CVEs
<http://errata.software-univention.de/ucs/4.2/344.html>