Bug 41225 – openssl: multiple issues (3.2)

Bug 41225 - openssl: multiple issues (3.2)


Summary:	openssl: multiple issues (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P4 normal (vote)
Target Milestone:	UCS 3.2-8-errata
Assigned To:	Janek Walkenhorst
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-05-09 18:27 CEST by Arvid Requate
Modified:	2016-09-21 21:27 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
patches-for-openssl-0.9.8o-4squeeze23.tar.gz (6.48 KB, application/gzip) 2016-05-09 18:27 CEST, Arvid Requate	Details
patches-for-openssl-0.9.8o-4squeeze23.tar.gz (4.12 KB, application/gzip) 2016-05-10 21:37 CEST, Arvid Requate	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-05-09 18:27:58 CEST

Created attachment 7645 [details]
patches-for-openssl-0.9.8o-4squeeze23.tar.gz

The attached tgz contains backported patches for

* EVP_EncodeUpdate overflow (CVE-2016-2105)
* EVP_EncryptUpdate overflow (CVE-2016-2106)
* Memory corruption in the ASN.1 encoder (CVE-2016-2108)
* ASN.1 BIO excessive memory allocation (CVE-2016-2109)

The code affected by CVE-2016-2107 is not present in OpenSSL 0.9.8

+++ This bug was initially created as a clone of Bug #41198 +++

Comment 1 Arvid Requate

2016-05-10 21:37:29 CEST

Created attachment 7650 [details]
patches-for-openssl-0.9.8o-4squeeze23.tar.gz

Updated patch bundle, the other one was incomplete.

Comment 2 Janek Walkenhorst

2016-05-17 19:42:27 CEST

(In reply to Arvid Requate from comment #1)
> Created attachment 7650 [details]
> patches-for-openssl-0.9.8o-4squeeze23.tar.gz
> 
> Updated patch bundle, the other one was incomplete.
Removed duplicate " {" from CVE-2016-2105.patch
Otherwise they are good.

Comment 3 Janek Walkenhorst

2016-05-20 10:38:28 CEST

Tests (i386): OK
Advisory: openssl.yaml

Comment 4 Arvid Requate

2016-05-31 17:42:21 CEST

Verified:

* Source patches ok and applied
* Binary packages updatable
* Advisory: Ok

Comment 5 Janek Walkenhorst

2016-06-01 16:12:09 CEST

<http://errata.software-univention.de/ucs/3.2/426.html>