Univention Bugzilla – Full Text Bug Listing |
Summary: | openssl: multiple issues (4.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | hahn |
Version: | UCS 4.2 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.2-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) | ||
Bug Depends on: | |||
Bug Blocks: | 45751 |
Description
Arvid Requate
2017-11-20 15:06:28 CET
1.0.2n <https://www.openssl.org/news/secadv/20171207.txt> Read/write after SSL object in error state (CVE-2017-3737) rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) r17997 | Bug #45750: openssl Package: openssl Version: 1.0.2n-0A~4.2.0.201801262211 Branch: ucs_4.2-0 Scope: errata4.2-3 e419302f36 Bug #45750: openssl --- mirror/ftp/4.2/unmaintained/4.2-1/source/openssl_1.0.2k-1~bpo8+1A~4.2.0.201706081143.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/openssl_1.0.2n-0A~4.2.0.201801262211.dsc @@ -1,6 +1,20 @@ -1.0.2k-1~bpo8+1A~4.2.0.201706081143 [Thu, 08 Jun 2017 11:43:01 +0200] Univention builddaemon <buildd@univention.de>: +1.0.2n-0A~4.2.0.201801262211 [Fri, 26 Jan 2018 22:11:49 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +1.0.2n-0 [Fri, 26 Jan 2018 21:37:59 +0100] Philipp Hahn <hahn@univention.de>: + + * New upstream release + - Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) + - bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) + - Read/write after SSL object in error state (CVE-2017-3737) + - rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) + +1.0.2l-1~bpo8+1 [Wed, 21 Jun 2017 21:42:47 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + * New upstream release + - Properly detect features on the AMD Ryzen processor (Closes: #861145) + * Refresh valgrind.patch 1.0.2k-1~bpo8+1 [Fri, 27 Jan 2017 22:22:13 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: * No UCS specific patches since errata4.2-0 * Comparison to previously and next shipped version ok * Binary package update Ok * Advisory adjusted: 8c771c62cf | Adjust wording Why don't we use the 1.0.2l-2deb9u3 patches from stretch? https://tracker.debian.org/media/packages/o/openssl1.0/changelog-1.0.2l-2deb9u3 (In reply to Arvid Requate from comment #4) > Why don't we use the 1.0.2l-2deb9u3 patches from stretch? > > https://tracker.debian.org/media/packages/o/openssl1.0/changelog-1.0.2l- > 2deb9u3 1. UCS-4.2 is based on Debian-8, so the deb9 package does not work out-of-the-box and requires backporting the patches. OpenSSL has a history of backported patches going wrong. 2. According to <http://xen1.knut.univention.de:8000/packages/source/openssl/?since=4.2-0> we already had version "1.0.2k-1~bpo8+1" from "bpo", so the version from Jessie "1.0.1t-1+deb8u8" is older. There was newer "bpo" version fixing the mentioned CVEs, so I imported 'n' myself. 3. 'n' was the latest version back in January, "o" is current from 2018-03-27, 'p' is pending. So currently we're missing <https://www.openssl.org/news/secadv/20180327.txt>: - Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) |