[SECURITY] [DSA 3197-1] openssl security update

2015-03-1914:31:39

lists.debian.org

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.021 Low

EPSS

Percentile

89.0%

JSON

Debian Security Advisory DSA-3197-1 [email protected]
http://www.debian.org/security/ Moritz Muehlenhoff
March 19, 2015 http://www.debian.org/security/faq

Package : openssl
CVE ID : CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288
CVE-2015-0289 CVE-2015-0292

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2015-0286

Stephen Henson discovered that the ASN1_TYPE_cmp() function
can be crashed, resulting in denial of service.

CVE-2015-0287

Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

CVE-2015-0289

Michal Zalewski discovered a NULL pointer dereference in the
PKCS#7 parsing code, resulting in denial of service.

CVE-2015-0292

It was discovered that missing input sanitising in base64 decoding
might result in memory corruption.

CVE-2015-0209

It was discovered that a malformed EC private key might result in
memory corruption.

CVE-2015-0288

It was discovered that missing input sanitising in the
X509_to_X509_REQ() function might result in denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u15. In this update the export ciphers are removed
from the default cipher list.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7s390xopenssl< 1.0.1e-2+deb7u15openssl_1.0.1e-2+deb7u15_s390x.deb
Debian7i386openssl< 1.0.1e-2+deb7u15openssl_1.0.1e-2+deb7u15_i386.deb
Debian6i386libssl0.9.8-dbg< 0.9.8o-4squeeze20libssl0.9.8-dbg_0.9.8o-4squeeze20_i386.deb
Debian7armhflibcrypto1.0.0-udeb< 1.0.1e-2+deb7u15libcrypto1.0.0-udeb_1.0.1e-2+deb7u15_armhf.deb
Debian7kfreebsd-i386libssl-dev< 1.0.1e-2+deb7u15libssl-dev_1.0.1e-2+deb7u15_kfreebsd-i386.deb
Debian7armhflibssl1.0.0< 1.0.1e-2+deb7u15libssl1.0.0_1.0.1e-2+deb7u15_armhf.deb
Debian6i386openssl< 0.9.8o-4squeeze20openssl_0.9.8o-4squeeze20_i386.deb
Debian7ia64libssl1.0.0-dbg< 1.0.1e-2+deb7u15libssl1.0.0-dbg_1.0.1e-2+deb7u15_ia64.deb
Debian7mipsopenssl< 1.0.1e-2+deb7u15openssl_1.0.1e-2+deb7u15_mips.deb
Debian7mipsellibcrypto1.0.0-udeb< 1.0.1e-2+deb7u15libcrypto1.0.0-udeb_1.0.1e-2+deb7u15_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	s390x	openssl	< 1.0.1e-2+deb7u15	openssl_1.0.1e-2+deb7u15_s390x.deb
Debian	7	i386	openssl	< 1.0.1e-2+deb7u15	openssl_1.0.1e-2+deb7u15_i386.deb
Debian	6	i386	libssl0.9.8-dbg	< 0.9.8o-4squeeze20	libssl0.9.8-dbg_0.9.8o-4squeeze20_i386.deb
Debian	7	armhf	libcrypto1.0.0-udeb	< 1.0.1e-2+deb7u15	libcrypto1.0.0-udeb_1.0.1e-2+deb7u15_armhf.deb
Debian	7	kfreebsd-i386	libssl-dev	< 1.0.1e-2+deb7u15	libssl-dev_1.0.1e-2+deb7u15_kfreebsd-i386.deb
Debian	7	armhf	libssl1.0.0	< 1.0.1e-2+deb7u15	libssl1.0.0_1.0.1e-2+deb7u15_armhf.deb
Debian	6	i386	openssl	< 0.9.8o-4squeeze20	openssl_0.9.8o-4squeeze20_i386.deb
Debian	7	ia64	libssl1.0.0-dbg	< 1.0.1e-2+deb7u15	libssl1.0.0-dbg_1.0.1e-2+deb7u15_ia64.deb
Debian	7	mips	openssl	< 1.0.1e-2+deb7u15	openssl_1.0.1e-2+deb7u15_mips.deb
Debian	7	mipsel	libcrypto1.0.0-udeb	< 1.0.1e-2+deb7u15	libcrypto1.0.0-udeb_1.0.1e-2+deb7u15_mipsel.deb