Univention Bugzilla – Full Text Bug Listing |
Summary: | openssl: multiple issues (4.0) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, requate, walkenhorst |
Version: | UCS 4.0 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.0-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | 40187 | ||
Bug Blocks: | 40189 |
Description
Arvid Requate
2015-12-07 19:34:26 CET
Upstream Debian package version 1.0.1e-2+deb7u19 fixes all of the above and the following issue: * SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes (CVE-2015-7575) A new issue has been identified: * SSLv2 doesn't block disabled ciphers (CVE-2015-3197) Update: - Not affected by CVE-2015-3197 because SSLv2 is disabled (built with no-ssl2) The following new issues have been identified (see https://www.openssl.org/news/secadv/20160301.txt): * Double-free in DSA code (CVE-2016-0705) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) * Memory issues in BIO_*printf functions (CVE-2016-0799) * Side channel attack on modular exponentiation (CVE-2016-0702) The OpenSSL version in UCS 4.x is not affected by CVE-2016-0703, CVE-2016-0704 and CVE-2016-0800. The upstream Debian package version 1.0.1e-2+deb7u20 has been imported and built. Advisory: openssl.yaml OK: advisory OK: SSLv2 disabled (see test) OK: manual functional test: root@dc2000:~# aptitude install '?source-package(^openssl$)~i' root@dc2000:~# dpkg -l | egrep 'openssl|libssl' ii libssl1.0.0:amd64 1.0.1e-2.107.201603011735 ii openssl 1.0.1e-2.107.201603011735 root@dc2000:~# openssl s_client -connect $(hostname -f):443 -ssl3 CONNECTED(00000003) [Same with -tls1 -tls1_1 -tls1_2 -dtls1] root@dc2000:~# openssl s_client -connect $(hostname -f):443 -ssl2 unknown option -ssl2 root@dc2000:~# openssl s_client -connect mail.univention.de:443 -tls1_2 Certificate chain 0 s:/CN=mail.univention.de i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA |