Bug 41198

Summary:	openssl: multiple issues (4.0)
Product:	UCS	Reporter:	Arvid Requate <requate>
Component:	Security updates	Assignee:	Janek Walkenhorst <walkenhorst>
Status:	CLOSED FIXED	QA Contact:	Arvid Requate <requate>
Severity:	normal
Priority:	P4	CC:	gohmann, hahn, requate, walkenhorst
Version:	UCS 4.0	Flags:	requate: Patch_Available+
Target Milestone:	UCS 4.0-5-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:
Attachments:	openssl_patches_1.0.1f-1ubuntu2.19.tgz

Description Arvid Requate

2016-05-03 20:19:11 CEST

The new openssl release 1.0.1t fixes these issues:

* EVP_EncodeUpdate overflow (CVE-2016-2105)
* EVP_EncryptUpdate overflow (CVE-2016-2106)
* Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
* Memory corruption in the ASN.1 encoder (CVE-2016-2108)
* ASN.1 BIO excessive memory allocation (CVE-2016-2109)
* EBCDIC overread (CVE-2016-2176)

Comment 1 Arvid Requate

2016-05-03 20:21:02 CEST

Created attachment 7637 [details]
openssl_patches_1.0.1f-1ubuntu2.19.tgz

Backport patches from Ubuntu 14.04 LTS (1.0.1f).

Wheezy LTS will probably also prepare patches for 1.0.1e.

Comment 2 Arvid Requate

2016-05-04 19:42:37 CEST

Upstream Debian package version 1.0.1e-2+deb7u21 contains the patches.

Comment 3 Janek Walkenhorst

2016-05-09 19:40:15 CEST

Tests: OK
Advisory: openssl.yaml

Comment 4 Arvid Requate

2016-05-10 21:50:13 CEST

Verified:
* Upstream package with patches imported and built in errata4.0-5
* Package update works (amd64)
* Advisory Ok

Comment 5 Philipp Hahn

2016-05-11 16:52:14 CEST

<http://errata.software-univention.de/ucs/4.0/419.html>