Bug 42487
| Summary: | openssl: multiple issues (3.3) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Felix Botner <botner> |
| Component: | Security updates | Assignee: | Arvid Requate <requate> |
| Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
| Severity: | normal | ||
| Priority: | P5 | CC: | gohmann |
| Version: | UCS 3.3 | Flags: | requate:
Patch_Available+
|
| Target Milestone: | UCS 3.3-0-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=42961 | ||
| What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | Security | |
| Max CVSS v3 score: | |||
| Bug Depends on: | 42486 | ||
| Bug Blocks: | |||
|
Description
Felix Botner
Upstream Debian package version 1.0.1t-1+deb7u1 fixes these issues: * Remote denial of service (integer overflow and application crash) or unspecified other impact (CVE-2016-2177) * Potential timing side-channel attack by local users on DSA private key via dsa_sign_setup function in crypto/dsa/dsa_ossl.c (CVE-2016-2178) * Remote denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously (CVE-2016-2179) * Remote denial of service (out-of-bounds read and application crash) via a crafted timestamp file that is mishandled by the "openssl ts" command (CVE-2016-2180) * Remote denial of service (false-positive packet drops) via spoofed DTLS records (CVE-2016-2181) * Remote denial of service (out-of-bounds write and application crash) or unspecified other impact via BN_bn2dec function (CVE-2016-2182) * Remote denial of service via a ticket that is too short (CVE-2016-6302) * Remote denial of service (out-of-bounds write and application crash) or unspecified other impact via MDC2_Update function (CVE-2016-6303) * Remote denial of service (memory consumption) via large OCSP Status Request extensions (CVE-2016-6304) * Remote denial of service (out-of-bounds read) via crafted certificate operations (CVE-2016-6306) I.e. Debian wheezy-lts updated to the package version from Debian Jessie. I've downloaded the 1.0.1t-1+deb7u1 source package and have repackaged it to 1.0.1e-2+deb7u20really1.0.1tdeb7u1. Additionally I had to apply a patch at build time to keep the version number below the one shipped in UCS 4.0. The patch for CVE-2016-2182 included in that package is identical to the regression-fixed version included in the 1.0.1t-1+deb8u5 package (Bug #42961). Advisory: openssl.yaml FIXED: errata-announce -V --only openssl.yaml # r75233 [FAIL] cve.CVE-2014-3571: Not in description: CVE-2014-3571 OK: 01_ucs3.3_dependency.patch OK: 02_fix_version_below_ucs400.patch OK: Bug #42961 OK: <https://www.openssl.org/news/secadv/20160922.txt> OK: aptitude install '?source-package(openssl)~i' OK: aptitude install '?source-package(openssl)?not(?name(udeb))' OK: zless /usr/share/doc/libssl1.0.0/changelog.Debian.gz # 1.0.1e-2~ucs3.3.132.201611171655 FYI: Also fixed by 1.0.1t-1+deb7u1 but not mentioned here yet: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 OK: openssl s_client -connect localhost:636 # 443 OK: openssl s_client -connect localhost:443 -ssl3 OK: ldapsearch -ZZZ -x -D `ucr get ldap/hostdn` -y /etc/machine.secret dn OK: univention-certificate new -name test -days 1 OK: univention-certificate check -name test OK: univention-certificate dump -name test OK: univention-certificate list OK: openssl x509 -noout -text -in /etc/univention/ssl/ucsCA/CAcert.pem OK: mutt -f imaps://Administrator@$(dnsdomainname)@$(hostname -f)/ OK: w3m https://$(hostname -f)/ucs-overview/ OK: lynx https://$(hostname -f)/ucs-overview/ OK: curl --cacert /etc/univention/ssl/ucsCA/CAcert.pem https://$(hostname -f)/ucs-overview/ |