ID SOL16136 Type f5 Reporter f5 Modified 2015-09-17T00:00:00
Description
Recommended Action
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.
F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.
To mitigate this vulnerability, navigate to the respective product:
BIG-IP products
Traffix
LineRate
BIG-IP products
To mitigate this vulnerability, you can discontinue the use of X509::hash and use another mechanism for blacklisting.
Traffix products
To mitigate this vulnerability, you can upgrade with the Traffix package for January 2015 which contains openssl-1.0.1e-30. For more information, refer to the F5 Traffix representative for your region.
LineRate
None
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4918: Overview of the F5 critical issue hotfix policy
{"reporter": "f5", "published": "2015-02-12T00:00:00", "cvelist": ["CVE-2014-8275"], "title": "SOL16136 - OpenSSL vulnerability CVE-2014-8275", "objectVersion": "1.2", "type": "f5", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/100/sol16136.html", "bulletinFamily": "software", "hashmap": [{"hash": "883b84b22787c411bdb98f51d1aa44b2", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "9a16075f13f7605af55643a1ccc20eb8", "key": "cvelist"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "cdccb38d0bd4d1c2bc2e86f31e711f25", "key": "description"}, {"hash": "28c65a047f7a5029a9098a89551febab", "key": "href"}, {"hash": "b84c0044884bb0e96c08581962599d69", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "836c04d22009adbe729e538a44a9ffba", "key": "published"}, {"hash": "d708145dea38455a229de4cb2bf9c70e", "key": "references"}, {"hash": "74ce2e1a498f2fa27b5542040be774dc", "key": "reporter"}, {"hash": "4700aa8ab1b626d5f5301cd5997b48db", "key": "title"}, {"hash": "74ce2e1a498f2fa27b5542040be774dc", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "history": [], "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "vulnersScore": 5.0}, "modified": "2015-09-17T00:00:00", "hash": "d42c4a3b8017a61141fb993cad608915eeee60580b568ce441fc2b5e1003d39f", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "viewCount": 3, "lastseen": "2016-09-26T17:23:31", "edition": 1, "description": "Recommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, navigate to the respective product: \n\n\n * BIG-IP products \n\n * Traffix \n\n * LineRate\n\n**BIG-IP products** \n\n\nTo mitigate this vulnerability, you can discontinue the use of **X509::hash** and use another mechanism for blacklisting. \n\n\n**Traffix products \n**\n\nTo mitigate this vulnerability, you can upgrade with the Traffix package for January 2015 which contains **openssl-1.0.1e-30**. For more information, refer to the F5 Traffix representative for your region. \n\n\n**LineRate**\n\nNone \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "id": "SOL16136", "affectedSoftware": [{"operator": "le", "name": "BIG-IP PSM", "version": "10.2.4"}, {"operator": "le", "name": "BIG-IP Link Controller", "version": "11.6.0"}, {"operator": "le", "name": "LineRate", "version": "2.5.0"}, {"operator": "le", "name": "BIG-IP PEM", "version": "11.6.0"}, {"operator": "le", "name": "BIG-IP APM", "version": "10.2.4"}, {"operator": "le", "name": "BIG-IP Edge Clients for Linux\n", "version": "7110.x"}, {"operator": "le", "name": "BIG-IP Edge Clients for Apple iOS", "version": "1.0.6"}, {"operator": "le", "name": "BIG-IP Analytics", "version": "11.6.0"}, {"operator": "le", "name": "BIG-IP WebAccelerator", "version": "11.3.0"}, {"operator": "le", "name": "BIG-IP Edge Clients for Windows", "version": "7110.x"}, {"operator": "le", "name": "BIG-IP ASM", "version": "11.6.0"}, {"operator": "le", "name": "BIG-IP Edge Gateway\n", "version": "11.3.0"}, {"operator": "le", "name": "BIG-IP LTM", "version": "10.2.4"}, {"operator": "le", "name": "BIG-IP PSM", "version": "11.4.1"}, {"operator": "le", "name": "BIG-IP LTM", "version": "11.6.0"}, {"operator": "le", "name": "BIG-IP AAM", "version": "11.6.0"}, {"operator": "le", "name": "BIG-IP ASM", "version": "10.2.4"}, {"operator": "le", "name": "BIG-IP WebAccelerator", "version": "10.2.4"}, {"operator": "le", "name": "BIG-IP Edge Clients for Android\n", "version": "2.0.6"}, {"operator": "le", "name": "BIG-IP Link Controller", "version": "10.2.4"}, {"operator": "le", "name": "BIG-IP AFM", "version": "11.6.0"}, {"operator": "le", "name": "BIG-IP Edge Clients Windows Phone 8.1", "version": "1.0.0.x"}, {"operator": "le", "name": "BIG-IP APM", "version": "11.6.0"}, {"operator": "le", "name": "BIG-IP Edge Clients for MAC OS X", "version": "7110.x"}, {"operator": "le", "name": "BIG-IP WOM", "version": "10.2.4"}, {"operator": "le", "name": "BIG-IP WOM", "version": "11.3.0"}, {"operator": "le", "name": "BIG-IP Edge Gateway\n", "version": "10.2.4"}, {"operator": "le", "name": "BIG-IP Edge Clients for Apple iOS", "version": "2.0.4"}, {"operator": "le", "name": "Traffix", "version": "4.1.0"}]}
{"cve": [{"lastseen": "2017-11-15T11:55:35", "references": ["http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html", "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html", "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html", "http://rhn.redhat.com/errata/RHSA-2015-0066.html", "https://support.citrix.com/article/CTX216642", "http://marc.info/?l=bugtraq&m=142721102728110&w=2", "http://www.securityfocus.com/bid/71935", "http://marc.info/?l=bugtraq&m=142720981827617&w=2", "http://marc.info/?l=bugtraq&m=143748090628601&w=2", "http://marc.info/?l=bugtraq&m=144050205101530&w=2", "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.html", "http://rhn.redhat.com/errata/RHSA-2015-0800.html", "http://marc.info/?l=bugtraq&m=144050155601375&w=2", "https://github.com/openssl/openssl/commit/684400ce192dac51df3d3e92b61830a6ef90be3e", "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", "http://www.mandriva.com/security/advisories?name=MDVSA-2015:019", "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html", "https://www.openssl.org/news/secadv_20150108.txt", "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", "http://marc.info/?l=bugtraq&m=144050254401665&w=2", "http://marc.info/?l=bugtraq&m=144050297101809&w=2", "http://marc.info/?l=bugtraq&m=142895206924048&w=2", "https://kc.mcafee.com/corporate/index?page=content&id=SB10102", "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.html", "https://support.apple.com/HT204659", "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148363.html", "http://www.debian.org/security/2015/dsa-3125", "https://github.com/openssl/openssl/commit/cb62ab4b17818fe66d2fed0a7fe71969131c811b", "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679", "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "https://bto.bluecoat.com/security-advisory/sa88", "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html", "http://www.securitytracker.com/id/1033378", "https://kc.mcafee.com/corporate/index?page=content&id=SB10108", "http://marc.info/?l=bugtraq&m=142496179803395&w=2", "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html", "http://www.mandriva.com/security/advisories?name=MDVSA-2015:062", "http://marc.info/?l=bugtraq&m=142496289803847&w=2", "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl"], "edition": 4, "description": "OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.", "reporter": "NVD", "published": "2015-01-08T21:59:09", "title": "CVE-2014-8275", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-8275"], "scanner": [], "cpe": ["cpe:/a:openssl:openssl:1.0.0k", "cpe:/a:openssl:openssl:1.0.1a", "cpe:/a:openssl:openssl:1.0.1e", "cpe:/a:openssl:openssl:1.0.1d", "cpe:/a:openssl:openssl:1.0.0a", "cpe:/a:openssl:openssl:1.0.1g", "cpe:/a:openssl:openssl:1.0.0h", "cpe:/a:openssl:openssl:1.0.1b", "cpe:/a:openssl:openssl:1.0.1h", "cpe:/a:openssl:openssl:1.0.0l", "cpe:/a:openssl:openssl:1.0.0i", "cpe:/a:openssl:openssl:1.0.0f", "cpe:/a:openssl:openssl:1.0.1c", "cpe:/a:openssl:openssl:1.0.0e", "cpe:/a:openssl:openssl:1.0.0g", "cpe:/a:openssl:openssl:1.0.1i", "cpe:/a:openssl:openssl:1.0.0o", "cpe:/a:openssl:openssl:1.0.0j", "cpe:/a:openssl:openssl:1.0.0b", "cpe:/a:openssl:openssl:1.0.0d", "cpe:/a:openssl:openssl:1.0.1j", "cpe:/a:openssl:openssl:1.0.1f", "cpe:/a:openssl:openssl:1.0.0m", "cpe:/a:openssl:openssl:1.0.0n", "cpe:/a:openssl:openssl:1.0.0c", "cpe:/a:openssl:openssl:0.9.8zc"], "modified": "2017-11-14T21:29:05", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8275", "id": "CVE-2014-8275", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "f5": [{"lastseen": "2017-06-08T00:16:26", "references": [], "edition": 1, "description": "\nF5 Product Development has assigned ID 500093 (BIG-IP), ID 500088 (BIG-IP Edge clients) and ID LRS-37957 (LineRate) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. In addition, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) lists Heuristic H505539 on the **Diagnostics** > **Identified** > **High** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| 12.0.0 \n \n| Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \n \nBIG-IP AAM | 11.4.0 - 11.6.0 \n| 12.0.0 | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP AFM | 11.3.0 - 11.6.0 \n| 12.0.0 | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP Analytics | 11.0.0 - 11.6.0 \n| 12.0.0 | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP APM | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| 12.0.0 | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP ASM | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| 12.0.0 | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP DNS | None | 12.0.0 | None \nBIG-IP Edge Gateway \n| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \n \n \nBIG-IP GTM | None \n| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | None \nBIG-IP Link Controller | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| 12.0.0 | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP PEM | 11.3.0 - 11.6.0 \n| 12.0.0 | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP PSM | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 \n| None | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nBIG-IP WOM | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None | Virtual servers utilizing an iRule that implement X509::hash for custom blacklisting. \nARX | None | 6.0.0 - 6.4.0 \n| None \nEnterprise Manager | None | 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0 \n| None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 \n| None \n \nBIG-IQ ADC | None | 4.5.0 | None \nBIG-IQ Cloud | None \n| 4.0.0 - 4.5.0 \n| None \n \nBIG-IQ Device | None \n| 4.2.0 - 4.5.0 \n| None \nLineRate | 2.4.0 - 2.5.0 \n| None | OpenSSL \nTraffix | 3.3.2 - 4.1.0 | None | OpenSSL \nBIG-IP Edge Clients for Android \n| 2.0.0 - 2.0.6 | 2.0.7 \n| VPN \nBIG-IP Edge Clients for Apple iOS | 2.0.0 - 2.0.4 \n1.0.5 - 1.0.6 | 2.0.5 \n| VPN \nBIG-IP Edge Clients for Linux \n| 6035.x - 7110.x | 7120.x \n| VPN \n \nBIG-IP Edge Clients for MAC OS X | 6035.x - 7110.x | 7120.x | VPN \nBIG-IP Edge Clients for Windows | 6035.x - 7110.x | 7120.x | VPN \nBIG-IP Edge Clients Windows Phone 8.1 | 1.0.0.x | None \n| VPN \nBIG-IP Edge Portal for Android | None | 1.0.0 - 1.0.2 | Not vulnerable \nBIG-IP Edge Portal for Apple iOS | None | 1.0.0 - 1.0.3 | Not vulnerable\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 is responding to this vulnerability as determined by the parameters defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, navigate to the respective product: \n\n\n * [BIG-IP products \n](<https://support.f5.com/csp/article/K16136#bigip>)\n * [Traffix \n](<https://support.f5.com/csp/article/K16136#traffix>)\n * [LineRate](<https://support.f5.com/csp/article/K16136#linerate>)\n\n**BIG-IP products** \n\n\nTo mitigate this vulnerability, you can discontinue the use of **X509::hash** and use another mechanism for blacklisting. \n\n\n**Traffix products \n**\n\nTo mitigate this vulnerability, you can upgrade with the Traffix package for January 2015 which contains **openssl-1.0.1e-30**. For more information, refer to the F5 Traffix representative for your region. \n\n\n**LineRate**\n\nNone \n\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "reporter": "f5", "published": "2015-02-13T00:20:00", "title": "OpenSSL vulnerability CVE-2014-8275", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "affectedSoftware": [], "bulletinFamily": "software", "cvelist": ["CVE-2014-8275"], "modified": "2016-01-09T02:19:00", "id": "F5:K16136", "href": "https://support.f5.com/csp/article/K16136", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openssl": [{"lastseen": "2016-09-26T17:22:34", "references": [], "edition": 1, "description": "OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. By modifying the contents of the signature algorithm or the encoding of the signature, it is possible to change the certificate's fingerprint. This does not allow an attacker to forge certificates, and does not affect certificate verification or OpenSSL servers/clients in any other way. It also does not affect common revocation mechanisms. Only custom applications that rely on the uniqueness of the fingerprint (e.g. certificate blacklists) may be affected. Reported by Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program/Konrad Kraszewski from Google.", "reporter": "OpenSSL", "published": "2015-01-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "openssl", "title": "Vulnerability in OpenSSL (CVE-2014-8275)", "bulletinFamily": "software", "affectedSoftware": [{"name": "openssl", "version": "1.0.0d", "operator": "eq"}, {"name": "openssl", "version": "0.9.8p", "operator": "eq"}, {"name": "openssl", "version": "1.0.0b", "operator": "eq"}, {"name": "openssl", "version": "0.9.8q", "operator": "eq"}, {"name": "openssl", "version": "0.9.8e", "operator": "eq"}, {"name": "openssl", "version": "1.0.1c", "operator": "eq"}, {"name": "openssl", "version": "1.0.0", "operator": "eq"}, {"name": "openssl", "version": "1.0.0o", "operator": "eq"}, {"name": "openssl", "version": "0.9.8t", "operator": "eq"}, {"name": "openssl", "version": "1.0.0e", "operator": "eq"}, {"name": "openssl", "version": "0.9.8w", "operator": "eq"}, {"name": "openssl", "version": "1.0.0a", "operator": "eq"}, {"name": "openssl", "version": "1.0.1b", "operator": "eq"}, {"name": "openssl", "version": "0.9.8c", "operator": "eq"}, {"name": "openssl", "version": "0.9.8o", "operator": "eq"}, {"name": "openssl", "version": "0.9.8j", "operator": "eq"}, {"name": "openssl", "version": "1.0.0j", "operator": "eq"}, {"name": "openssl", "version": "0.9.8l", "operator": "eq"}, {"name": "openssl", "version": "1.0.0k", "operator": "eq"}, {"name": "openssl", "version": "0.9.8n", "operator": "eq"}, {"name": "openssl", "version": "1.0.1a", "operator": "eq"}, {"name": "openssl", "version": "0.9.8d", "operator": "eq"}, {"name": "openssl", "version": "1.0.1d", "operator": "eq"}, {"name": "openssl", "version": "0.9.8i", "operator": "eq"}, {"name": "openssl", "version": "0.9.8g", "operator": "eq"}, {"name": "openssl", "version": "0.9.8m", "operator": "eq"}, {"name": "openssl", "version": "0.9.8v", "operator": "eq"}, {"name": "openssl", "version": "1.0.0l", "operator": "eq"}, {"name": "openssl", "version": "0.9.8u", "operator": "eq"}, {"name": "openssl", "version": "1.0.1", "operator": "eq"}, {"name": "openssl", "version": "1.0.1f", "operator": "eq"}, {"name": "openssl", "version": "0.9.8b", "operator": "eq"}, {"name": "openssl", "version": "1.0.0n", "operator": "eq"}, {"name": "openssl", "version": "0.9.8f", "operator": "eq"}, {"name": "openssl", "version": "1.0.0m", "operator": "eq"}, {"name": "openssl", "version": "1.0.1i", "operator": "eq"}, {"name": "openssl", "version": "0.9.8x", "operator": "eq"}, {"name": "openssl", "version": "0.9.8s", "operator": "eq"}, {"name": "openssl", "version": "0.9.8", "operator": "eq"}, {"name": "openssl", "version": "0.9.8r", "operator": "eq"}, {"name": "openssl", "version": "1.0.0c", "operator": "eq"}, {"name": "openssl", "version": "1.0.1j", "operator": "eq"}, {"name": "openssl", "version": "0.9.8a", "operator": "eq"}, {"name": "openssl", "version": "0.9.8zb", "operator": "eq"}, {"name": "openssl", "version": "0.9.8h", "operator": "eq"}, {"name": "openssl", "version": "1.0.0i", "operator": "eq"}, {"name": "openssl", "version": "0.9.8k", "operator": "eq"}, {"name": "openssl", "version": "1.0.1g", "operator": "eq"}, {"name": "openssl", "version": "1.0.0g", "operator": "eq"}, {"name": "openssl", "version": "1.0.1e", "operator": "eq"}, {"name": "openssl", "version": "0.9.8za", "operator": "eq"}, {"name": "openssl", "version": "1.0.1h", "operator": "eq"}, {"name": "openssl", "version": "0.9.8y", "operator": "eq"}, {"name": "openssl", "version": "1.0.0f", "operator": "eq"}, {"name": "openssl", "version": "0.9.8zc", "operator": "eq"}], "cvelist": ["CVE-2014-8275"], "modified": "2015-01-05T00:00:00", "id": "OPENSSL:CVE-2014-8275", "href": "https://www.openssl.org/news/vulnerabilities.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2018-09-02T00:09:27", "references": ["http://support.novell.com/security/cve/CVE-2015-0204.html", "http://support.novell.com/security/cve/CVE-2014-3572.html", "https://bugzilla.novell.com/show_bug.cgi?id=912014", "https://bugzilla.novell.com/show_bug.cgi?id=912296", "http://support.novell.com/security/cve/CVE-2015-0205.html", "https://bugzilla.novell.com/show_bug.cgi?id=912293", "http://support.novell.com/security/cve/CVE-2014-3570.html", "https://bugzilla.novell.com/show_bug.cgi?id=912015", "https://bugzilla.novell.com/show_bug.cgi?id=912018", "http://support.novell.com/security/cve/CVE-2014-8275.html"], "pluginID": "81120", "description": "OpenSSL (compat-openssl097g) has been updated to fix various security issues.\n\nMore information can be found in the openssl advisory:\nhttp://openssl.org/news/secadv_20150108.txt .\n\nThe following issues have been fixed :\n\n - Bignum squaring (BN_sqr) may have produced incorrect results on some platforms, including x86_64.\n (bsc#912296). (CVE-2014-3570)\n\n - Don't accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. (bsc#912015). (CVE-2014-3572)\n\n - Fixed various certificate fingerprint issues.\n (bsc#912018). (CVE-2014-8275)\n\n - Only allow ephemeral RSA keys in export ciphersuites.\n (bsc#912014). (CVE-2015-0204)\n\n - A fix was added to prevent use of DH client certificates without sending certificate verify message. Note that compat-openssl097g is not affected by this problem, a fix was however applied to the sources. (bsc#912293).\n (CVE-2015-0205)", "edition": 4, "reporter": "Tenable", "published": "2015-02-02T00:00:00", "title": "SuSE 11.3 Security Update : compat-openssl097g (SAT Patch Number 10208)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2015-06-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:compat-openssl097g-32bit", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:compat-openssl097g"], "id": "SUSE_11_COMPAT-OPENSSL097G-150122.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81120", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81120);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2015/06/21 04:38:56 $\");\n\n script_cve_id(\"CVE-2014-3570\", \"CVE-2014-3572\", \"CVE-2014-8275\", \"CVE-2015-0204\", \"CVE-2015-0205\");\n\n script_name(english:\"SuSE 11.3 Security Update : compat-openssl097g (SAT Patch Number 10208)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"OpenSSL (compat-openssl097g) has been updated to fix various security\nissues.\n\nMore information can be found in the openssl advisory:\nhttp://openssl.org/news/secadv_20150108.txt .\n\nThe following issues have been fixed :\n\n - Bignum squaring (BN_sqr) may have produced incorrect\n results on some platforms, including x86_64.\n (bsc#912296). (CVE-2014-3570)\n\n - Don't accept a handshake using an ephemeral ECDH\n ciphersuites with the server key exchange message\n omitted. (bsc#912015). (CVE-2014-3572)\n\n - Fixed various certificate fingerprint issues.\n (bsc#912018). (CVE-2014-8275)\n\n - Only allow ephemeral RSA keys in export ciphersuites.\n (bsc#912014). (CVE-2015-0204)\n\n - A fix was added to prevent use of DH client certificates\n without sending certificate verify message. Note that\n compat-openssl097g is not affected by this problem, a\n fix was however applied to the sources. (bsc#912293).\n (CVE-2015-0205)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912014\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912015\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912018\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912293\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912296\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-3570.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-3572.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-8275.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2015-0204.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2015-0205.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 10208.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:compat-openssl097g\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:compat-openssl097g-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, \"SuSE 11.3\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"compat-openssl097g-0.9.7g-146.22.27.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"compat-openssl097g-0.9.7g-146.22.27.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"compat-openssl097g-32bit-0.9.7g-146.22.27.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:42:00", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1180187", "https://bugzilla.redhat.com/show_bug.cgi?id=1180239", "https://bugzilla.redhat.com/show_bug.cgi?id=1180234", "https://bugzilla.redhat.com/show_bug.cgi?id=1180235", "http://www.nessus.org/u?1ecb24e0", "https://bugzilla.redhat.com/show_bug.cgi?id=1180240"], "pluginID": "80874", "description": "Multiple low and moderate impact security issues fixed.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2015-01-21T00:00:00", "title": "Fedora 20 : openssl-1.0.1e-41.fc20 (2015-0601)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0205"], "modified": "2015-10-19T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssl", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2015-0601.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80874", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-0601.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80874);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:49:04 $\");\n\n script_cve_id(\"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-8275\", \"CVE-2015-0205\", \"CVE-2015-0206\");\n script_xref(name:\"FEDORA\", value:\"2015-0601\");\n\n script_name(english:\"Fedora 20 : openssl-1.0.1e-41.fc20 (2015-0601)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple low and moderate impact security issues fixed.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1180187\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1180234\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1180235\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1180239\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1180240\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148363.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1ecb24e0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"openssl-1.0.1e-41.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:38:14", "references": ["https://packages.debian.org/source/squeeze-lts/openssl", "https://lists.debian.org/debian-lts-announce/2015/01/msg00005.html"], "pluginID": "82115", "description": "Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues :\n\nCVE-2014-3570\n\nPieter Wuille of Blockstream reported that the bignum squaring (BN_sqr) may produce incorrect results on some platforms, which might make it easier for remote attackers to defeat cryptographic protection mechanisms.\n\nCVE-2014-3571\n\nMarkus Stenberg of Cisco Systems, Inc. reported that a carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. A remote attacker could use this flaw to mount a denial of service attack.\n\nCVE-2014-3572\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL client would accept a handshake using an ephemeral ECDH ciphersuite if the server key exchange message is omitted. This allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy.\n\nCVE-2014-8275\n\nAntti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project and Konrad Kraszewski of Google reported various certificate fingerprint issues, which allow remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism.\n\nCVE-2015-0204\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL client will accept the use of an ephemeral RSA key in a non-export RSA key exchange ciphersuite, violating the TLS standard.\nThis allows remote SSL servers to downgrade the security of the session.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2015-03-26T00:00:00", "title": "Debian DLA-132-1 : openssl security update (FREAK)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204"], "modified": "2018-07-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:libssl0.9.8-dbg", "p-cpe:/a:debian:debian_linux:libssl-dev", "p-cpe:/a:debian:debian_linux:libcrypto0.9.8-udeb", "p-cpe:/a:debian:debian_linux:libssl0.9.8", "p-cpe:/a:debian:debian_linux:openssl"], "id": "DEBIAN_DLA-132.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82115", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-132-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82115);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/06 11:26:06\");\n\n script_cve_id(\"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\", \"CVE-2014-8275\", \"CVE-2015-0204\");\n script_bugtraq_id(71935, 71936, 71937, 71939, 71942, 74107, 75769);\n\n script_name(english:\"Debian DLA-132-1 : openssl security update (FREAK)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in OpenSSL, a Secure\nSockets Layer toolkit. The Common Vulnerabilities and Exposures\nproject identifies the following issues :\n\nCVE-2014-3570\n\nPieter Wuille of Blockstream reported that the bignum squaring\n(BN_sqr) may produce incorrect results on some platforms, which might\nmake it easier for remote attackers to defeat cryptographic protection\nmechanisms.\n\nCVE-2014-3571\n\nMarkus Stenberg of Cisco Systems, Inc. reported that a carefully\ncrafted DTLS message can cause a segmentation fault in OpenSSL due to\na NULL pointer dereference. A remote attacker could use this flaw to\nmount a denial of service attack.\n\nCVE-2014-3572\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL client would accept a handshake using an ephemeral ECDH\nciphersuite if the server key exchange message is omitted. This allows\nremote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and\ntrigger a loss of forward secrecy.\n\nCVE-2014-8275\n\nAntti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project\nand Konrad Kraszewski of Google reported various certificate\nfingerprint issues, which allow remote attackers to defeat a\nfingerprint-based certificate-blacklist protection mechanism.\n\nCVE-2015-0204\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL client will accept the use of an ephemeral RSA key in a\nnon-export RSA key exchange ciphersuite, violating the TLS standard.\nThis allows remote SSL servers to downgrade the security of the\nsession.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/01/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/openssl\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcrypto0.9.8-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl0.9.8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl0.9.8-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libcrypto0.9.8-udeb\", reference:\"0.9.8o-4squeeze19\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libssl-dev\", reference:\"0.9.8o-4squeeze19\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libssl0.9.8\", reference:\"0.9.8o-4squeeze19\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libssl0.9.8-dbg\", reference:\"0.9.8o-4squeeze19\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openssl\", reference:\"0.9.8o-4squeeze19\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:44:52", "references": ["http://www.nessus.org/u?c015995e"], "pluginID": "81726", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893]\n\n - fix CVE-2014-3570 - Bignum squaring may produce incorrect results\n\n - fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record\n\n - fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]\n\n - fix CVE-2014-8275 - Certificate fingerprints can be modified\n\n - fix CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client]\n\n - properly lock X509_STORE accesses (#1168938)", "edition": 7, "reporter": "Tenable", "published": "2015-03-10T00:00:00", "title": "OracleVM 3.2 : openssl (OVMSA-2015-0029) (FREAK)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "OracleVM Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204"], "modified": "2018-07-24T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.2", "p-cpe:/a:oracle:vm:openssl"], "id": "ORACLEVM_OVMSA-2015-0029.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81726", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2015-0029.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81726);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n\n script_cve_id(\"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\", \"CVE-2014-8275\", \"CVE-2015-0204\");\n script_bugtraq_id(71935, 71936, 71937, 71939, 71942, 74107, 75769);\n\n script_name(english:\"OracleVM 3.2 : openssl (OVMSA-2015-0029) (FREAK)\");\n script_summary(english:\"Checks the RPM output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Backport openssl 08-Jan-2015 security fixes (John Haxby)\n [orabug 20409893]\n\n - fix CVE-2014-3570 - Bignum squaring may produce\n incorrect results\n\n - fix CVE-2014-3571 - DTLS segmentation fault in\n dtls1_get_record\n\n - fix CVE-2014-3572 - ECDHE silently downgrades to ECDH\n [Client]\n\n - fix CVE-2014-8275 - Certificate fingerprints can be\n modified\n\n - fix CVE-2015-0204 - RSA silently downgrades to\n EXPORT_RSA [Client]\n\n - properly lock X509_STORE accesses (#1168938)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2015-March/000281.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c015995e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/09\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! ereg(pattern:\"^OVS\" + \"3\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.2\", reference:\"openssl-0.9.8e-32.0.1.el5_11\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:01:07", "references": ["http://www.nessus.org/u?bd646a4f"], "pluginID": "82270", "description": "The remote host has a version of Cisco AnyConnect Secure Mobility Client installed that is prior to 3.1.7021.0, or else it is a version equal or prior to 4.0.0048.0. It is, therefore, affected by multiple vulnerabilities in the OpenSSL library :\n\n - The BIGNUM squaring (BN_sqr) implementation does not properly calculate the square of a BIGNUM value. This allows remote attackers to defeat cryptographic protection mechanisms. (CVE-2014-3570)\n\n - A NULL pointer dereference flaw exists with dtls1_get_record when handling DTLS messages. A remote attacker, using a specially crafted DTLS message, can cause a denial of service. (CVE-2014-3571)\n\n - A flaw exists when accepting non-DER variations of certificate signature algorithms and signature encodings due to a lack of enforcement of matches between signed and unsigned portions. A remote attacker, by including crafted data within a certificate's unsigned portion, can bypass fingerprint-based certificate-blacklist protection mechanisms. (CVE-2014-8275)\n\n - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204)\n\n - A memory leak occurs in dtls1_buffer_record when handling a saturation of DTLS records containing the same number sequence but for the next epoch. This allows a remote attacker to cause a denial of service.\n (CVE-2015-0206)", "edition": 5, "reporter": "Tenable", "published": "2015-03-26T00:00:00", "title": "Cisco AnyConnect Secure Mobility Client < 3.1(7021) / <= 4.0(48) Multiple Vulnerabilities (FREAK)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204"], "modified": "2018-07-06T00:00:00", "cpe": ["cpe:/a:cisco:anyconnect_secure_mobility_client"], "id": "CISCO_ANYCONNECT_3_1_7021.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82270", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82270);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/06 11:26:08\");\n\n script_cve_id(\n \"CVE-2014-3570\",\n \"CVE-2014-3571\",\n \"CVE-2014-8275\",\n \"CVE-2015-0204\",\n \"CVE-2015-0206\"\n );\n script_bugtraq_id(71935, 71936, 71937, 71939, 71940);\n script_xref(name:\"CERT\", value:\"243585\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus42726\");\n\n script_name(english:\"Cisco AnyConnect Secure Mobility Client < 3.1(7021) / <= 4.0(48) Multiple Vulnerabilities (FREAK)\");\n script_summary(english:\"Checks the version of the Cisco AnyConnect client.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has a version of Cisco AnyConnect Secure Mobility\nClient installed that is prior to 3.1.7021.0, or else it is a version\nequal or prior to 4.0.0048.0. It is, therefore, affected by multiple\nvulnerabilities in the OpenSSL library :\n\n - The BIGNUM squaring (BN_sqr) implementation does not\n properly calculate the square of a BIGNUM value. This\n allows remote attackers to defeat cryptographic\n protection mechanisms. (CVE-2014-3570)\n\n - A NULL pointer dereference flaw exists with\n dtls1_get_record when handling DTLS messages. A remote\n attacker, using a specially crafted DTLS message, can\n cause a denial of service. (CVE-2014-3571)\n\n - A flaw exists when accepting non-DER variations of\n certificate signature algorithms and signature encodings\n due to a lack of enforcement of matches between signed\n and unsigned portions. A remote attacker, by including\n crafted data within a certificate's unsigned portion,\n can bypass fingerprint-based certificate-blacklist\n protection mechanisms. (CVE-2014-8275)\n\n - A security feature bypass vulnerability, known as FREAK\n (Factoring attack on RSA-EXPORT Keys), exists due to the\n support of weak EXPORT_RSA cipher suites with keys less\n than or equal to 512 bits. A man-in-the-middle attacker\n may be able to downgrade the SSL/TLS connection to use\n EXPORT_RSA cipher suites which can be factored in a\n short amount of time, allowing the attacker to intercept\n and decrypt the traffic. (CVE-2015-0204)\n\n - A memory leak occurs in dtls1_buffer_record\n when handling a saturation of DTLS records containing\n the same number sequence but for the next epoch. This\n allows a remote attacker to cause a denial of service.\n (CVE-2015-0206)\");\n # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bd646a4f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Cisco AnyConnect Secure Mobility Client 3.1(7021) or\nlater, or refer to the vendor.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:anyconnect_secure_mobility_client\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"cisco_anyconnect_vpn_installed.nasl\");\n script_require_keys(\"installed_sw/Cisco AnyConnect Secure Mobility Client\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_name = \"Cisco AnyConnect Secure Mobility Client\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\npath = install['path'];\nver = install['version'];\n\nfix_display = NULL;\n\nif (ver =~ \"^[0-3]\\.\" && ver_compare(ver:ver, fix:\"3.1.7021.0\", strict:FALSE) == -1)\n fix_display = '3.1.7021 (3.1(7021))';\nelse if (ver =~ \"^4\\.\" && ver_compare(ver:ver, fix:\"4.0.48.0\", strict:FALSE) <= 0)\n fix_display = 'Refer to the vendor for a fix.';\n\nif (isnull(fix_display))\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, ver, path);\n\nport = get_kb_item('SMB/transport');\nif (!port) port = 445;\n\nif (report_verbosity > 0)\n{\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix_display +\n '\\n';\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:43:02", "references": ["http://www.nessus.org/u?bd646a4f"], "pluginID": "82271", "description": "The remote Mac OS X host has a version of Cisco AnyConnect Secure Mobility Client installed that is prior to 3.1.7021.0, or else it is a version equal or prior to 4.0.0048.0. It is, therefore, affected by multiple vulnerabilities in the OpenSSL library :\n\n - The BIGNUM squaring (BN_sqr) implementation does not properly calculate the square of a BIGNUM value. This allows remote attackers to defeat cryptographic protection mechanisms. (CVE-2014-3570)\n\n - A NULL pointer dereference flaw exists with dtls1_get_record when handling DTLS messages. A remote attacker, using a specially crafted DTLS message, can cause a denial of service. (CVE-2014-3571)\n\n - A flaw exists when accepting non-DER variations of certificate signature algorithms and signature encodings due to a lack of enforcement of matches between signed and unsigned portions. A remote attacker, by including crafted data within a certificate's unsigned portion, can bypass fingerprint-based certificate-blacklist protection mechanisms. (CVE-2014-8275)\n\n - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204)\n\n - A memory leak occurs in dtls1_buffer_record when handling a saturation of DTLS records containing the same number sequence but for the next epoch. This allows a remote attacker to cause a denial of service.\n (CVE-2015-0206)", "edition": 5, "reporter": "Tenable", "published": "2015-03-26T00:00:00", "title": "Mac OS X : Cisco AnyConnect Secure Mobility Client < 3.1(7021) <= 4.0(48) Multiple Vulnerabilities (FREAK)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "MacOS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/a:cisco:anyconnect_secure_mobility_client"], "id": "MACOSX_CISCO_ANYCONNECT_3_1_7021.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82271", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82271);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2014-3570\",\n \"CVE-2014-3571\",\n \"CVE-2014-8275\",\n \"CVE-2015-0204\",\n \"CVE-2015-0206\"\n );\n script_bugtraq_id(71935, 71936, 71937, 71939, 71940);\n script_xref(name:\"CERT\", value:\"243585\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus42726\");\n\n script_name(english:\"Mac OS X : Cisco AnyConnect Secure Mobility Client < 3.1(7021) <= 4.0(48) Multiple Vulnerabilities (FREAK)\"); \n script_summary(english:\"Checks the version of the Cisco AnyConnect client.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host has a version of Cisco AnyConnect Secure\nMobility Client installed that is prior to 3.1.7021.0, or else it is a\nversion equal or prior to 4.0.0048.0. It is, therefore, affected by\nmultiple vulnerabilities in the OpenSSL library :\n\n - The BIGNUM squaring (BN_sqr) implementation does not\n properly calculate the square of a BIGNUM value. This\n allows remote attackers to defeat cryptographic\n protection mechanisms. (CVE-2014-3570)\n\n - A NULL pointer dereference flaw exists with\n dtls1_get_record when handling DTLS messages. A remote\n attacker, using a specially crafted DTLS message, can\n cause a denial of service. (CVE-2014-3571)\n\n - A flaw exists when accepting non-DER variations of\n certificate signature algorithms and signature encodings\n due to a lack of enforcement of matches between signed\n and unsigned portions. A remote attacker, by including\n crafted data within a certificate's unsigned portion,\n can bypass fingerprint-based certificate-blacklist\n protection mechanisms. (CVE-2014-8275)\n\n - A security feature bypass vulnerability, known as FREAK\n (Factoring attack on RSA-EXPORT Keys), exists due to the\n support of weak EXPORT_RSA cipher suites with keys less\n than or equal to 512 bits. A man-in-the-middle attacker\n may be able to downgrade the SSL/TLS connection to use\n EXPORT_RSA cipher suites which can be factored in a\n short amount of time, allowing the attacker to intercept\n and decrypt the traffic. (CVE-2015-0204)\n\n - A memory leak occurs in dtls1_buffer_record\n when handling a saturation of DTLS records containing\n the same number sequence but for the next epoch. This\n allows a remote attacker to cause a denial of service.\n (CVE-2015-0206)\");\n # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bd646a4f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Cisco AnyConnect Secure Mobility Client 3.1(7021) or\nlater, or refer to the vendor.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:anyconnect_secure_mobility_client\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_cisco_anyconnect_installed.nasl\");\n script_require_keys(\"installed_sw/Cisco AnyConnect Secure Mobility Client\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nget_kb_item_or_exit(\"Host/MacOSX/Version\");\n\nappname = \"Cisco AnyConnect Secure Mobility Client\";\n\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\npath = install['path'];\nver = install['version'];\n\nfix_display = NULL;\n\nif (ver =~ \"^([0-2]|3\\.[01])\\.\" && ver_compare(ver:ver, fix:\"3.1.7021\", strict:FALSE) == -1)\n fix_display = '3.1.7021 (3.1(7021))';\nelse if (ver =~ \"^4\\.0\\.\" && ver_compare(ver:ver, fix:\"4.0.00048\", strict:FALSE) <= 0)\n fix_display = 'Refer to the vendor for a fix.';\n\nif (isnull(fix_display))\n audit(AUDIT_INST_PATH_NOT_VULN, appname, ver, path);\n\nif (report_verbosity > 0)\n{\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix_display +\n '\\n';\n security_warning(port:0, extra:report);\n}\nelse security_warning(0);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:51:51", "references": ["http://www.nessus.org/u?409efa43"], "pluginID": "81903", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893]\n\n - fix CVE-2014-3570 - Bignum squaring may produce incorrect results\n\n - fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record\n\n - fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]\n\n - fix CVE-2014-8275 - Certificate fingerprints can be modified\n\n - fix CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client]\n\n - properly lock X509_STORE accesses (#1168938)", "edition": 7, "reporter": "Tenable", "published": "2015-03-18T00:00:00", "title": "OracleVM 2.2 : openssl (OVMSA-2015-0030) (FREAK)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "OracleVM Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204"], "modified": "2018-07-24T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:2.2", "p-cpe:/a:oracle:vm:openssl"], "id": "ORACLEVM_OVMSA-2015-0030.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81903", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2015-0030.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81903);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n\n script_cve_id(\"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\", \"CVE-2014-8275\", \"CVE-2015-0204\");\n script_bugtraq_id(71935, 71936, 71937, 71939, 71942, 74107, 75769);\n\n script_name(english:\"OracleVM 2.2 : openssl (OVMSA-2015-0030) (FREAK)\");\n script_summary(english:\"Checks the RPM output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Backport openssl 08-Jan-2015 security fixes (John Haxby)\n [orabug 20409893]\n\n - fix CVE-2014-3570 - Bignum squaring may produce\n incorrect results\n\n - fix CVE-2014-3571 - DTLS segmentation fault in\n dtls1_get_record\n\n - fix CVE-2014-3572 - ECDHE silently downgrades to ECDH\n [Client]\n\n - fix CVE-2014-8275 - Certificate fingerprints can be\n modified\n\n - fix CVE-2015-0204 - RSA silently downgrades to\n EXPORT_RSA [Client]\n\n - properly lock X509_STORE accesses (#1168938)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2015-March/000286.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?409efa43\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! ereg(pattern:\"^OVS\" + \"2\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 2.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS2.2\", reference:\"openssl-0.9.8e-32.0.1.el5_11\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:05:47", "references": ["https://www.openssl.org/news/secadv/20150108.txt", "https://www.openssl.org/news/openssl-0.9.8-notes.html", "https://www.smacktls.com/#freak", "https://www.openssl.org/news/vulnerabilities.html"], "pluginID": "80566", "description": "According to its banner, the remote web server uses a version of OpenSSL 0.9.8 prior to 0.9.8zd. The OpenSSL library is, therefore, affected by the following vulnerabilities :\n\n - A NULL pointer dereference flaw exists when the SSLv3 option isn't enabled and an SSLv3 ClientHello is received. This allows a remote attacker, using an unexpected handshake, to crash the daemon, resulting in a denial of service. (CVE-2014-3569)\n\n - The BIGNUM squaring (BN_sqr) implementation does not properly calculate the square of a BIGNUM value. This allows remote attackers to defeat cryptographic protection mechanisms. (CVE-2014-3570)\n\n - A NULL pointer dereference flaw exists with dtls1_get_record() when handling DTLS messages. A remote attacker, using a specially crafted DTLS message, can cause a denial of service. (CVE-2014-3571)\n\n - A flaw exists with ECDH handshakes when using an ECDSA certificate without a ServerKeyExchange message. This allows a remote attacker to trigger a loss of forward secrecy from the ciphersuite. (CVE-2014-3572)\n\n - A flaw exists when accepting non-DER variations of certificate signature algorithms and signature encodings due to a lack of enforcement of matches between signed and unsigned portions. A remote attacker, by including crafted data within a certificate's unsigned portion, can bypass fingerprint-based certificate-blacklist protection mechanisms. (CVE-2014-8275)\n\n - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204)", "edition": 5, "reporter": "Tenable", "published": "2015-01-16T00:00:00", "title": "OpenSSL 0.9.8 < 0.9.8zd Multiple Vulnerabilities (FREAK)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2014-3569"], "modified": "2018-07-16T00:00:00", "cpe": ["cpe:/a:openssl:openssl"], "id": "OPENSSL_0_9_8ZD.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80566", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80566);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/07/16 14:09:14\");\n\n script_cve_id(\n \"CVE-2014-3569\",\n \"CVE-2014-3570\",\n \"CVE-2014-3571\",\n \"CVE-2014-3572\",\n \"CVE-2014-8275\",\n \"CVE-2015-0204\"\n );\n script_bugtraq_id(\n 71934,\n 71935,\n 71936,\n 71937,\n 71939,\n 71942\n );\n script_xref(name:\"CERT\", value:\"243585\");\n\n script_name(english:\"OpenSSL 0.9.8 < 0.9.8zd Multiple Vulnerabilities (FREAK)\");\n script_summary(english:\"Performs a banner check.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote service is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the remote web server uses a version of\nOpenSSL 0.9.8 prior to 0.9.8zd. The OpenSSL library is, therefore,\naffected by the following vulnerabilities :\n\n - A NULL pointer dereference flaw exists when the SSLv3\n option isn't enabled and an SSLv3 ClientHello is\n received. This allows a remote attacker, using an\n unexpected handshake, to crash the daemon, resulting in\n a denial of service. (CVE-2014-3569)\n\n - The BIGNUM squaring (BN_sqr) implementation does not\n properly calculate the square of a BIGNUM value. This\n allows remote attackers to defeat cryptographic\n protection mechanisms. (CVE-2014-3570)\n\n - A NULL pointer dereference flaw exists with\n dtls1_get_record() when handling DTLS messages. A remote\n attacker, using a specially crafted DTLS message, can\n cause a denial of service. (CVE-2014-3571)\n\n - A flaw exists with ECDH handshakes when using an ECDSA\n certificate without a ServerKeyExchange message. This\n allows a remote attacker to trigger a loss of forward\n secrecy from the ciphersuite. (CVE-2014-3572)\n\n - A flaw exists when accepting non-DER variations of\n certificate signature algorithms and signature encodings\n due to a lack of enforcement of matches between signed\n and unsigned portions. A remote attacker, by including\n crafted data within a certificate's unsigned portion,\n can bypass fingerprint-based certificate-blacklist\n protection mechanisms. (CVE-2014-8275)\n\n - A security feature bypass vulnerability, known as FREAK\n (Factoring attack on RSA-EXPORT Keys), exists due to the\n support of weak EXPORT_RSA cipher suites with keys less\n than or equal to 512 bits. A man-in-the-middle attacker\n may be able to downgrade the SSL/TLS connection to use\n EXPORT_RSA cipher suites which can be factored in a\n short amount of time, allowing the attacker to intercept\n and decrypt the traffic. (CVE-2015-0204)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/openssl-0.9.8-notes.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20150108.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/vulnerabilities.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.smacktls.com/#freak\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to OpenSSL 0.9.8zd or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"openssl_version.nasl\");\n script_require_keys(\"openssl/port\");\n\n exit(0);\n}\n\ninclude(\"openssl_version.inc\");\n\nopenssl_check_version(fixed:'0.9.8zd', min:\"0.9.8\", severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:35:16", "references": ["http://support.novell.com/security/cve/CVE-2014-3571.html", "https://bugzilla.novell.com/show_bug.cgi?id=912294", "http://support.novell.com/security/cve/CVE-2015-0204.html", "http://support.novell.com/security/cve/CVE-2014-3572.html", "https://bugzilla.novell.com/show_bug.cgi?id=912014", "https://bugzilla.novell.com/show_bug.cgi?id=912296", "http://support.novell.com/security/cve/CVE-2015-0205.html", "https://bugzilla.novell.com/show_bug.cgi?id=912293", "http://support.novell.com/security/cve/CVE-2014-3570.html", "https://bugzilla.novell.com/show_bug.cgi?id=912015", "https://bugzilla.novell.com/show_bug.cgi?id=912018", "http://support.novell.com/security/cve/CVE-2014-8275.html"], "pluginID": "81124", "description": "OpenSSL has been updated to fix various security issues.\n\nMore information can be found in the OpenSSL advisory:\nhttp://openssl.org/news/secadv_20150108.txt .\n\nThe following issues have been fixed :\n\n - Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. (bsc#912296).\n (CVE-2014-3570)\n\n - Fix crash in dtls1_get_record whilst in the listen state where you get two separate reads performed - one for the header and one for the body of the handshake record.\n (bsc#912294). (CVE-2014-3571)\n\n - Don't accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. (bsc#912015). (CVE-2014-3572)\n\n - Fix various certificate fingerprint issues.\n (bsc#912018). (CVE-2014-8275)\n\n - Only allow ephemeral RSA keys in export ciphersuites.\n (bsc#912014). (CVE-2015-0204)\n\n - OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it doesn't support DH certificates and this typo prohibits skipping of certificate verify message for sign only certificates anyway. (bsc#912293). (CVE-2015-0205)", "edition": 4, "reporter": "Tenable", "published": "2015-02-02T00:00:00", "title": "SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 10150)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2015-06-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:openssl", "p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-hmac", "p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-32bit", "p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:openssl-doc", "p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-hmac-32bit"], "id": "SUSE_11_LIBOPENSSL-DEVEL-150112.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81124", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81124);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2015/06/21 04:38:56 $\");\n\n script_cve_id(\"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\", \"CVE-2014-8275\", \"CVE-2015-0204\", \"CVE-2015-0205\");\n\n script_name(english:\"SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 10150)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"OpenSSL has been updated to fix various security issues.\n\nMore information can be found in the OpenSSL advisory:\nhttp://openssl.org/news/secadv_20150108.txt .\n\nThe following issues have been fixed :\n\n - Bignum squaring (BN_sqr) may produce incorrect results\n on some platforms, including x86_64. (bsc#912296).\n (CVE-2014-3570)\n\n - Fix crash in dtls1_get_record whilst in the listen state\n where you get two separate reads performed - one for the\n header and one for the body of the handshake record.\n (bsc#912294). (CVE-2014-3571)\n\n - Don't accept a handshake using an ephemeral ECDH\n ciphersuites with the server key exchange message\n omitted. (bsc#912015). (CVE-2014-3572)\n\n - Fix various certificate fingerprint issues.\n (bsc#912018). (CVE-2014-8275)\n\n - Only allow ephemeral RSA keys in export ciphersuites.\n (bsc#912014). (CVE-2015-0204)\n\n - OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it\n doesn't support DH certificates and this typo prohibits\n skipping of certificate verify message for sign only\n certificates anyway. (bsc#912293). (CVE-2015-0205)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912014\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912015\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912018\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912293\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912294\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=912296\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-3570.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-3571.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-3572.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-8275.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2015-0204.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2015-0205.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 10150.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-hmac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-hmac-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:openssl-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, \"SuSE 11.3\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"libopenssl0_9_8-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"openssl-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"libopenssl0_9_8-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"libopenssl0_9_8-32bit-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"openssl-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"libopenssl0_9_8-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"libopenssl0_9_8-hmac-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"openssl-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"openssl-doc-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"libopenssl0_9_8-32bit-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"libopenssl0_9_8-hmac-32bit-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"libopenssl0_9_8-32bit-0.9.8j-0.68.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"libopenssl0_9_8-hmac-32bit-0.9.8j-0.68.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:45:29", "references": ["https://www.openssl.org/news/secadv/20150108.txt", "https://www.smacktls.com/#freak", "https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679"], "pluginID": "82912", "description": "According to its self-reported version number, the remote Juniper Junos device is affected by the following vulnerabilities related to OpenSSL :\n\n - A NULL pointer dereference flaw exists when the SSLv3 option isn't enabled and an SSLv3 ClientHello is received. This allows a remote attacker, using an unexpected handshake, to crash the daemon, resulting in a denial of service. (CVE-2014-3569)\n\n - The BIGNUM squaring (BN_sqr) implementation does not properly calculate the square of a BIGNUM value. This allows remote attackers to defeat cryptographic protection mechanisms. (CVE-2014-3570)\n\n - A flaw exists with ECDH handshakes when using an ECDSA certificate without a ServerKeyExchange message. This allows a remote attacker to trigger a loss of forward secrecy from the ciphersuite. (CVE-2014-3572)\n\n - A flaw exists when accepting non-DER variations of certificate signature algorithms and signature encodings due to a lack of enforcement of matches between signed and unsigned portions. A remote attacker, by including crafted data within a certificate's unsigned portion, can bypass fingerprint-based certificate-blacklist protection mechanisms. (CVE-2014-8275)\n\n - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204)\n\n - A flaw exists when accepting DH certificates for client authentication without the CertificateVerify message.\n This allows a remote attacker to authenticate to the service without a private key. (CVE-2015-0205)\n\nNote that these issues only affects devices with J-Web or the SSL service for JUNOScript enabled.", "edition": 6, "reporter": "Tenable", "published": "2015-04-21T00:00:00", "title": "Juniper Junos Multiple OpenSSL Vulnerabilities (JSA10679) (FREAK)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Junos Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2018-07-12T00:00:00", "cpe": ["cpe:/a:openssl:openssl", "cpe:/o:juniper:junos"], "id": "JUNIPER_JSA10679.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82912", "sourceData": "#TRUSTED 168cee9d349a90c4c66dd321ac31282a4010a5d4bbb4286c360527e3dbc69c712981be3ebdb98b5158d9b90611e3934102255095de818a3a533a9e97a403d8fd7d2bd036eb7da2bad6d06744f5462411c81954d0e628e538ea0959e039fc6305aa5f1244aa9a46be7d27445cab4bac6158648a62998ce282f93d3e185574f719dc8d5b9bf0f2982268ce6c9571218d786f6936959594f6450c321e3a390bacab9eeff1fc03f6248e3f591af744fc7e8b5412ec92c282ed0623784b3e4588119757e9e599d653c683f050060e9951e58963020f48391e9132ca3519e46ab47fb85bd43c90a68cab35890283f3a7ed8f37d6fceeeb04e0216bc0ccfabae3cdaf5aaf4165c5d94ad99c0ed2835f1fef2dac9eb74e4fb960e35185defb526844adfb6441ca934e2144a4376a5decda1b6a28cb51116b7356d606f106b7f452eda111a803f921ff4c1040a40dd4ad46c9a6a4dd258120bbc203297f9ee215b8b35f9b17ba336a7fc70ba2176a54823650ac1f569b551184bd765265d869e52e19b8297555084ad9f98f3a13c2c98cdd4cdb21e529737ce29261a8851c6bf8f50c758f097065da78debd9f448e1be9364747f47fbf00619e409b60044170ffa7238a547221562822ada7149aad8a9be52cbbb0f21d3b0f7c748f3b691f254bdea9d86ece9e6496113655939ad4d0324c8fcd943f7bb3ce25f423ae2a481a33425be9f4\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82912);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/07/12\");\n\n script_cve_id(\n \"CVE-2014-3569\",\n \"CVE-2014-3570\",\n \"CVE-2014-3572\",\n \"CVE-2014-8275\",\n \"CVE-2015-0204\",\n \"CVE-2015-0205\"\n );\n script_bugtraq_id(71934, 71935, 71936, 71939, 71941, 71942);\n script_xref(name:\"JSA\", value:\"JSA10679\");\n script_xref(name:\"CERT\", value:\"243585\");\n\n script_name(english:\"Juniper Junos Multiple OpenSSL Vulnerabilities (JSA10679) (FREAK)\");\n script_summary(english:\"Checks the Junos version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote Juniper\nJunos device is affected by the following vulnerabilities related to\nOpenSSL :\n\n - A NULL pointer dereference flaw exists when the SSLv3\n option isn't enabled and an SSLv3 ClientHello is\n received. This allows a remote attacker, using an\n unexpected handshake, to crash the daemon, resulting in\n a denial of service. (CVE-2014-3569)\n\n - The BIGNUM squaring (BN_sqr) implementation does not\n properly calculate the square of a BIGNUM value. This\n allows remote attackers to defeat cryptographic\n protection mechanisms. (CVE-2014-3570)\n\n - A flaw exists with ECDH handshakes when using an ECDSA\n certificate without a ServerKeyExchange message. This\n allows a remote attacker to trigger a loss of forward\n secrecy from the ciphersuite. (CVE-2014-3572)\n\n - A flaw exists when accepting non-DER variations of\n certificate signature algorithms and signature encodings\n due to a lack of enforcement of matches between signed\n and unsigned portions. A remote attacker, by including\n crafted data within a certificate's unsigned portion,\n can bypass fingerprint-based certificate-blacklist\n protection mechanisms. (CVE-2014-8275)\n\n - A security feature bypass vulnerability, known as FREAK\n (Factoring attack on RSA-EXPORT Keys), exists due to the\n support of weak EXPORT_RSA cipher suites with keys less\n than or equal to 512 bits. A man-in-the-middle attacker\n may be able to downgrade the SSL/TLS connection to use\n EXPORT_RSA cipher suites which can be factored in a\n short amount of time, allowing the attacker to intercept\n and decrypt the traffic. (CVE-2015-0204)\n\n - A flaw exists when accepting DH certificates for client\n authentication without the CertificateVerify message.\n This allows a remote attacker to authenticate to the\n service without a private key. (CVE-2015-0205)\n\nNote that these issues only affects devices with J-Web or the SSL\nservice for JUNOScript enabled.\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20150108.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.smacktls.com/#freak\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant Junos software release or workaround referenced in\nJuniper advisory JSA10679.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:juniper:junos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n \n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"junos_version.nasl\");\n script_require_keys(\"Host/Juniper/JUNOS/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"junos_kb_cmd_func.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');\n\nfixes = make_array();\nfixes['12.1X44'] = '12.1X44-D50';\nfixes['12.1X46'] = '12.1X46-D35';\nfixes['12.1X47'] = '12.1X47-D25';\nfixes['12.3'] = '12.3R10';\nfixes['12.3X48'] = '12.3X48-D10';\nfixes['13.2'] = '13.2R8';\nfixes['13.3'] = '13.3R6';\nfixes['14.1'] = '14.1R5';\nfixes['14.2'] = '14.2R3';\n\nfix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);\n\n# HTTPS or XNM-SSL must be enabled\noverride = TRUE;\nbuf = junos_command_kb_item(cmd:\"show configuration | display set\");\nif (buf)\n{\n patterns = make_list(\n \"^set system services web-management http(s)? interface\", # J-Web\n \"^set system services xnm-ssl\" # SSL Service for JUNOScript (XNM-SSL)\n );\n foreach pattern (patterns)\n {\n if (junos_check_config(buf:buf, pattern:pattern))\n {\n override = FALSE;\n break;\n }\n }\n if (override)\n audit(AUDIT_HOST_NOT,\n 'affected because J-Web and SSL Service for JUNOScript (XNM-SSL) are not enabled');\n}\n\njunos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:46:20", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "x86_64", "packageFilename": "openssl-devel-0.9.8e-32.0.1.el5_11.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "ia64", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.ia64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "ia64", "packageFilename": "openssl-perl-0.9.8e-32.0.1.el5_11.ia64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "x86_64", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "src", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "src", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "src", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "i386", "packageFilename": "openssl-perl-0.9.8e-32.0.1.el5_11.i386.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "i686", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "i686", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "i686", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "x86_64", "packageFilename": "openssl-perl-0.9.8e-32.0.1.el5_11.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "i386", "packageFilename": "openssl-0.9.8e-32.0.1.el5_11.i386.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "ia64", "packageFilename": "openssl-devel-0.9.8e-32.0.1.el5_11.ia64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "i386", "packageFilename": "openssl-devel-0.9.8e-32.0.1.el5_11.i386.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-32.0.1.el5_11", "arch": "i386", "packageFilename": "openssl-devel-0.9.8e-32.0.1.el5_11.i386.rpm", "packageName": "openssl-devel", "operator": "lt"}], "description": "[0.9.8e-32.0.1]\n- Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893]\n- fix CVE-2014-3570 - Bignum squaring may produce incorrect results\n- fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record\n- fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]\n- fix CVE-2014-8275 - Certificate fingerprints can be modified\n- fix CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client]", "edition": 3, "reporter": "Oracle", "published": "2015-02-26T00:00:00", "title": "openssl security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204"], "modified": "2015-02-26T00:00:00", "id": "ELSA-2015-3010", "href": "http://linux.oracle.com/errata/ELSA-2015-3010.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T01:43:50", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "i386", "packageFilename": "openssl-devel-0.9.8e-33.0.1.el5_11.i386.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "i386", "packageFilename": "openssl-devel-0.9.8e-33.0.1.el5_11.i386.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "src", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "src", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "src", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "x86_64", "packageFilename": "openssl-devel-0.9.8e-33.0.1.el5_11.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "ia64", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.ia64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "x86_64", "packageFilename": "openssl-perl-0.9.8e-33.0.1.el5_11.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "x86_64", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "i686", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "i686", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "i686", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "i386", "packageFilename": "openssl-perl-0.9.8e-33.0.1.el5_11.i386.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "i386", "packageFilename": "openssl-0.9.8e-33.0.1.el5_11.i386.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "ia64", "packageFilename": "openssl-perl-0.9.8e-33.0.1.el5_11.ia64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "0.9.8e-33.0.1.el5_11", "arch": "ia64", "packageFilename": "openssl-devel-0.9.8e-33.0.1.el5_11.ia64.rpm", "packageName": "openssl-devel", "operator": "lt"}], "description": "[0.9.8e-33]\n- fix CVE-2014-8275 (without introduction of CVE-2015-0286) - various\n certificate fingerprint issues\n- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export\n ciphersuites and on server\n- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption\n- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference\n- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data\n- fix CVE-2015-0292 - integer underflow in base64 decoder\n- fix CVE-2015-0293 - triggerable assert in SSLv2 server", "edition": 3, "reporter": "Oracle", "published": "2015-04-13T00:00:00", "title": "openssl security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-0286", "CVE-2015-0288", "CVE-2014-8275", "CVE-2015-0293", "CVE-2015-0204", "CVE-2015-0287", "CVE-2015-0289", "CVE-2015-0292"], "modified": "2015-04-13T00:00:00", "id": "ELSA-2015-0800", "href": "http://linux.oracle.com/errata/ELSA-2015-0800.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:47:43", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageFilename": "openssl-1.0.1e-30.el6_6.5.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageFilename": "openssl-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageFilename": "openssl-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "i686", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.i686.rpm", "packageName": "openssl-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageFilename": "openssl-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "src", "packageFilename": "openssl-1.0.1e-34.el7_0.7.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageFilename": "openssl-static-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "src", "packageFilename": "openssl-1.0.1e-30.el6_6.5.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "src", "packageFilename": "openssl-1.0.1e-30.el6_6.5.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "i686", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.i686.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}], "description": "[1.0.1e-34.7]\n- fix CVE-2014-3570 - incorrect computation in BN_sqr()\n- fix CVE-2014-3571 - possible crash in dtls1_get_record()\n- fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state\n- fix CVE-2014-8275 - various certificate fingerprint issues\n- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export\n ciphersuites and on server\n- fix CVE-2015-0205 - do not allow unauthenticated client DH certificate\n- fix CVE-2015-0206 - possible memory leak when buffering DTLS records", "edition": 3, "reporter": "Oracle", "published": "2015-01-20T00:00:00", "title": "openssl security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2015-01-20T00:00:00", "id": "ELSA-2015-0066", "href": "http://linux.oracle.com/errata/ELSA-2015-0066.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T01:49:27", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-libs-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-51.ksplice1.el7_2.7.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "i686", "packageFilename": "openssl-1.0.1e-48.ksplice1.el6_8.3.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1e-48.ksplice1.el6_8.3.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-1.0.1e-48.ksplice1.el6_8.3.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "src", "packageFilename": "openssl-1.0.1e-51.ksplice1.el7_2.7.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1e-48.ksplice1.el6_8.3.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "i686", "packageFilename": "openssl-libs-1.0.1e-51.ksplice1.el7_2.7.i686.rpm", "packageName": "openssl-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1e-48.ksplice1.el6_8.3.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "src", "packageFilename": "openssl-1.0.1e-48.ksplice1.el6_8.3.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "i686", "packageFilename": "openssl-static-1.0.1e-51.ksplice1.el7_2.7.i686.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-48.ksplice1.el6_8.3.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}], "description": "[1.0.1e-48.3]\n- fix CVE-2016-2177 - possible integer overflow\n- fix CVE-2016-2178 - non-constant time DSA operations\n- fix CVE-2016-2179 - further DoS issues in DTLS\n- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()\n- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue\n- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()\n- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check\n- fix CVE-2016-6304 - unbound memory growth with OCSP status request\n- fix CVE-2016-6306 - certificate message OOB reads\n- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to\n 112 bit effective strength\n- replace expired testing certificates\n[1.0.1e-48.1]\n- fix CVE-2016-2105 - possible overflow in base64 encoding\n- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()\n- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC\n- fix CVE-2016-2108 - memory corruption in ASN.1 encoder\n- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO\n- fix CVE-2016-0799 - memory issues in BIO_printf\n[1.0.1e-48]\n- fix CVE-2016-0702 - side channel attack on modular exponentiation\n- fix CVE-2016-0705 - double-free in DSA private key parsing\n- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn\n[1.0.1e-47]\n- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement\n- disable SSLv2 in the generic TLS method\n[1.0.1e-46]\n- fix 1-byte memory leak in pkcs12 parse (#1229871)\n- document some options of the speed command (#1197095)\n[1.0.1e-45]\n- fix high-precision timestamps in timestamping authority\n[1.0.1e-44]\n- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2\n[1.0.1e-43]\n- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter\n- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak\n- fix CVE-2015-3196 - race condition when handling PSK identity hint\n[1.0.1e-42]\n- fix regression caused by mistake in fix for CVE-2015-1791\n[1.0.1e-41]\n- improved fix for CVE-2015-1791\n- add missing parts of CVE-2015-0209 fix for corectness although unexploitable\n[1.0.1e-40]\n- fix CVE-2014-8176 - invalid free in DTLS buffering code\n- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time\n- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent\n- fix CVE-2015-1791 - race condition handling NewSessionTicket\n- fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function\n[1.0.1e-39]\n- fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on\n read in multithreaded applications\n[1.0.1e-38]\n- fix CVE-2015-4000 - prevent the logjam attack on client - restrict\n the DH key size to at least 768 bits (limit will be increased in future)\n[1.0.1e-37]\n- drop the AES-GCM restriction of 2^32 operations because the IV is\n always 96 bits (32 bit fixed field + 64 bit invocation field)\n[1.0.1e-36]\n- update fix for CVE-2015-0287 to what was released upstream\n[1.0.1e-35]\n- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()\n- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison\n- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption\n- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference\n- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data\n- fix CVE-2015-0292 - integer underflow in base64 decoder\n- fix CVE-2015-0293 - triggerable assert in SSLv2 server\n[1.0.1e-34]\n- copy digest algorithm when handling SNI context switch\n- improve documentation of ciphersuites - patch by Hubert Kario\n- add support for setting Kerberos service and keytab in\n s_server and s_client\n[1.0.1e-33]\n- fix CVE-2014-3570 - incorrect computation in BN_sqr()\n- fix CVE-2014-3571 - possible crash in dtls1_get_record()\n- fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state\n- fix CVE-2014-8275 - various certificate fingerprint issues\n- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export\n ciphersuites and on server\n- fix CVE-2015-0205 - do not allow unauthenticated client DH certificate\n- fix CVE-2015-0206 - possible memory leak when buffering DTLS records\n[1.0.1e-32]\n- use FIPS approved method for computation of d in RSA\n[1.0.1e-31]\n- fix CVE-2014-3567 - memory leak when handling session tickets\n- fix CVE-2014-3513 - memory leak in srtp support\n- add support for fallback SCSV to partially mitigate CVE-2014-3566\n (padding attack on SSL3)\n[1.0.1e-30]\n- add ECC TLS extensions to DTLS (#1119800)\n[1.0.1e-29]\n- fix CVE-2014-3505 - doublefree in DTLS packet processing\n- fix CVE-2014-3506 - avoid memory exhaustion in DTLS\n- fix CVE-2014-3507 - avoid memory leak in DTLS\n- fix CVE-2014-3508 - fix OID handling to avoid information leak\n- fix CVE-2014-3509 - fix race condition when parsing server hello\n- fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS\n- fix CVE-2014-3511 - disallow protocol downgrade via fragmentation\n[1.0.1e-28]\n- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support\n[1.0.1e-26]\n- drop EXPORT, RC2, and DES from the default cipher list (#1057520)\n- print ephemeral key size negotiated in TLS handshake (#1057715)\n- do not include ECC ciphersuites in SSLv2 client hello (#1090952)\n- properly detect encryption failure in BIO (#1100819)\n- fail on hmac integrity check if the .hmac file is empty (#1105567)\n- FIPS mode: make the limitations on DSA, DH, and RSA keygen\n length enforced only if OPENSSL_ENFORCE_MODULUS_BITS environment\n variable is set\n[1.0.1e-25]\n- fix CVE-2010-5298 - possible use of memory after free\n- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment\n- fix CVE-2014-0198 - possible NULL pointer dereference\n- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet\n- fix CVE-2014-0224 - SSL/TLS MITM vulnerability\n- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH\n[1.0.1e-24]\n- add back support for secp521r1 EC curve\n[1.0.1e-23]\n- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension\n[1.0.1e-22]\n- use 2048 bit RSA key in FIPS selftests\n[1.0.1e-21]\n- add DH_compute_key_padded needed for FIPS CAVS testing\n- make 3des strength to be 128 bits instead of 168 (#1056616)\n- FIPS mode: do not generate DSA keys and DH parameters < 2048 bits\n- FIPS mode: use approved RSA keygen (allows only 2048 and 3072 bit keys)\n- FIPS mode: add DH selftest\n- FIPS mode: reseed DRBG properly on RAND_add()\n- FIPS mode: add RSA encrypt/decrypt selftest\n- FIPS mode: add hard limit for 2^32 GCM block encryptions with the same key\n- use the key length from configuration file if req -newkey rsa is invoked\n[1.0.1e-20]\n- fix CVE-2013-4353 - Invalid TLS handshake crash\n[1.0.1e-19]\n- fix CVE-2013-6450 - possible MiTM attack on DTLS1\n[1.0.1e-18]\n- fix CVE-2013-6449 - crash when version in SSL structure is incorrect\n[1.0.1e-17]\n- add back some no-op symbols that were inadvertently dropped\n[1.0.1e-16]\n- do not advertise ECC curves we do not support\n- fix CPU identification on Cyrix CPUs\n[1.0.1e-15]\n- make DTLS1 work in FIPS mode\n- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode\n[1.0.1e-14]\n- installation of dracut-fips marks that the FIPS module is installed\n[1.0.1e-13]\n- avoid dlopening libssl.so from libcrypto\n[1.0.1e-12]\n- fix small memory leak in FIPS aes selftest\n- fix segfault in openssl speed hmac in the FIPS mode\n[1.0.1e-11]\n- document the nextprotoneg option in manual pages\n original patch by Hubert Kario\n[1.0.1e-9]\n- always perform the FIPS selftests in library constructor\n if FIPS module is installed\n[1.0.1e-8]\n- fix use of rdrand if available\n- more commits cherry picked from upstream\n- documentation fixes\n[1.0.1e-7]\n- additional manual page fix\n- use symbol versioning also for the textual version\n[1.0.1e-6]\n- additional manual page fixes\n- cleanup speed command output for ECDH ECDSA\n[1.0.1e-5]\n- use _prefix macro\n[1.0.1e-4]\n- add relro linking flag\n[1.0.1e-2]\n- add support for the -trusted_first option for certificate chain verification\n[1.0.1e-1]\n- rebase to the 1.0.1e upstream version\n[1.0.0-28]\n- fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)\n- fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)\n- enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB\n environment variable is set (fixes CVE-2012-4929 #857051)\n- use __secure_getenv() everywhere instead of getenv() (#839735)\n[1.0.0-27]\n- fix sslrand(1) and sslpasswd(1) reference in openssl(1) manpage (#841645)\n- drop superfluous lib64 fixup in pkgconfig .pc files (#770872)\n- force BIO_accept_new(*:\n) to listen on IPv4\n[1.0.0-26]\n- use PKCS#8 when writing private keys in FIPS mode as the old\n PEM encryption mode is not FIPS compatible (#812348)\n[1.0.0-25]\n- fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)\n- properly initialize tkeylen in the CVE-2012-0884 fix\n[1.0.0-24]\n- fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)\n[1.0.0-23]\n- fix problem with the SGC restart patch that might terminate handshake\n incorrectly\n- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)\n- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)\n[1.0.0-22]\n- fix incorrect encryption of unaligned chunks in CFB, OFB and CTR modes\n[1.0.0-21]\n- fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery\n vulnerability and additional DTLS fixes (#771770)\n- fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)\n- fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778)\n- fix for CVE-2011-4619 - SGC restart DoS attack (#771780)\n[1.0.0-20]\n- fix x86cpuid.pl - patch by Paolo Bonzini\n[1.0.0-19]\n- add known answer test for SHA2 algorithms\n[1.0.0-18]\n- fix missing initialization of a variable in the CHIL engine (#740188)\n[1.0.0-17]\n- initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207\n (#736087)\n[1.0.0-16]\n- merge the optimizations for AES-NI, SHA1, and RC4 from the intelx\n engine to the internal implementations\n[1.0.0-15]\n- better documentation of the available digests in apps (#693858)\n- backported CHIL engine fixes (#693863)\n- allow testing build without downstream patches (#708511)\n- enable partial RELRO when linking (#723994)\n- add intelx engine with improved performance on new Intel CPUs\n- add OPENSSL_DISABLE_AES_NI environment variable which disables\n the AES-NI support (does not affect the intelx engine)\n[1.0.0-14]\n- use the AES-NI engine in the FIPS mode\n[1.0.0-11]\n- add API necessary for CAVS testing of the new DSA parameter generation\n[1.0.0-10]\n- fix OCSP stapling vulnerability - CVE-2011-0014 (#676063)\n- correct the README.FIPS document", "edition": 3, "reporter": "Oracle", "published": "2016-09-27T00:00:00", "title": "openssl security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-4000", "CVE-2013-0166", "CVE-2014-3505", "CVE-2012-2333", "CVE-2014-3508", "CVE-2015-1792", "CVE-2014-3566", "CVE-2015-3197", "CVE-2011-4108", "CVE-2014-3572", "CVE-2016-6306", "CVE-2016-0705", "CVE-2015-0206", "CVE-2015-1789", "CVE-2016-2183", "CVE-2013-0169", "CVE-2015-0286", "CVE-2013-6449", "CVE-2016-2178", "CVE-2014-3507", "CVE-2015-3195", "CVE-2016-2108", "CVE-2011-4576", "CVE-2014-3571", "CVE-2016-0799", "CVE-2016-6302", "CVE-2014-3513", "CVE-2016-2177", "CVE-2015-0288", "CVE-2012-1165", "CVE-2011-4577", "CVE-2014-0224", "CVE-2016-2105", "CVE-2015-3194", "CVE-2016-2107", "CVE-2011-4619", "CVE-2014-3511", "CVE-2011-0014", "CVE-2014-8275", "CVE-2016-2180", "CVE-2016-0797", "CVE-2016-0702", "CVE-2014-3570", "CVE-2015-7575", "CVE-2015-3196", "CVE-2014-3470", "CVE-2014-3506", "CVE-2016-2109", "CVE-2012-4929", "CVE-2016-2181", "CVE-2016-6304", "CVE-2013-6450", "CVE-2012-0050", "CVE-2015-0293", "CVE-2010-5298", "CVE-2014-0160", "CVE-2014-8176", "CVE-2013-4353", "CVE-2014-0195", "CVE-2014-0198", "CVE-2015-0209", "CVE-2014-3567", "CVE-2015-0204", "CVE-2012-2110", "CVE-2012-0884", "CVE-2015-1790", "CVE-2014-3510", "CVE-2016-2182", "CVE-2015-0287", "CVE-2011-3207", "CVE-2015-0289", "CVE-2015-3216", "CVE-2015-0292", "CVE-2015-0205", "CVE-2016-2179", "CVE-2016-2106", "CVE-2014-3509", "CVE-2015-1791", "CVE-2014-0221"], "modified": "2016-09-27T00:00:00", "id": "ELSA-2016-3621", "href": "http://linux.oracle.com/errata/ELSA-2016-3621.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-09-01T23:50:07", "references": ["http://linux.oracle.com/errata/ELSA-2015-3010.html"], "pluginID": "1361412562310123178", "description": "Oracle Linux Local Security Checks ELSA-2015-3010", "edition": 5, "reporter": "Eero Volotinen", "published": "2015-10-06T00:00:00", "title": "Oracle Linux Local Check: ELSA-2015-3010", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204"], "modified": "2017-07-06T00:00:00", "id": "OPENVAS:1361412562310123178", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123178", "sourceData": "# OpenVAS Vulnerability Test \n# Description: Oracle Linux Local Check \n# $Id: ELSA-2015-3010.nasl 6560 2017-07-06 11:58:38Z cfischer $\n \n# Authors: \n# Eero Volotinen <eero.volotinen@solinor.com> \n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.123178\");\nscript_version(\"$Revision: 6560 $\");\nscript_tag(name:\"creation_date\", value:\"2015-10-06 09:48:55 +0300 (Tue, 06 Oct 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 13:58:38 +0200 (Thu, 06 Jul 2017) $\");\nscript_name(\"Oracle Linux Local Check: ELSA-2015-3010\");\nscript_tag(name: \"insight\", value: \"ELSA-2015-3010 - openssl security update - [0.9.8e-32.0.1]- Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893]- fix CVE-2014-3570 - Bignum squaring may produce incorrect results- fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record- fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]- fix CVE-2014-8275 - Certificate fingerprints can be modified- fix CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client]\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_tag(name : \"summary\", value : \"Oracle Linux Local Security Checks ELSA-2015-3010\");\nscript_xref(name : \"URL\" , value : \"http://linux.oracle.com/errata/ELSA-2015-3010.html\");\nscript_cve_id(\"CVE-2014-3570\",\"CVE-2014-3571\",\"CVE-2014-3572\",\"CVE-2014-8275\",\"CVE-2015-0204\");\nscript_tag(name:\"cvss_base\", value:\"5.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\");\nscript_category(ACT_GATHER_INFO);\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Oracle Linux Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\nrelease = get_kb_item(\"ssh/login/release\");\nres = \"\";\nif(release == NULL)\n{\n exit(0);\n}\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.8e~32.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.8e~32.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.8e~32.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif (__pkg_match) exit(99); #Not vulnerable\n exit(0);\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:49:45", "references": ["https://alas.aws.amazon.com/ALAS-2015-469.html"], "pluginID": "1361412562310120456", "description": "Amazon Linux Local Security Checks", "edition": 5, "reporter": "Eero Volotinen", "published": "2015-09-08T00:00:00", "title": "Amazon Linux Local Check: ALAS-2015-469", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2014-3568", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2017-07-06T00:00:00", "id": "OPENVAS:1361412562310120456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120456", "sourceData": "# OpenVAS Vulnerability Test \n# Description: Amazon Linux security check \n# $Id: alas-2015-469.nasl 6575 2017-07-06 13:42:08Z cfischer $\n \n# Authors: \n# Eero Volotinen <eero.volotinen@iki.fi> \n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org \n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.120456\");\nscript_version(\"$Revision: 6575 $\");\nscript_tag(name:\"creation_date\", value:\"2015-09-08 13:26:46 +0200 (Tue, 08 Sep 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:42:08 +0200 (Thu, 06 Jul 2017) $\");\nscript_name(\"Amazon Linux Local Check: ALAS-2015-469\");\nscript_tag(name: \"insight\", value: \"OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.\"); \nscript_tag(name : \"solution\", value : \"Run yum update openssl to update your system.\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_xref(name : \"URL\" , value : \"https://alas.aws.amazon.com/ALAS-2015-469.html\");\nscript_cve_id(\"CVE-2014-3571\", \"CVE-2014-3570\", \"CVE-2014-3572\", \"CVE-2014-3569\", \"CVE-2014-8275\", \"CVE-2015-0205\", \"CVE-2015-0204\", \"CVE-2015-0206\");\nscript_tag(name:\"cvss_base\", value:\"5.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\nscript_category(ACT_GATHER_INFO);\nscript_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Amazon Linux Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\nrelease = get_kb_item(\"ssh/login/release\");\nres = \"\";\nif(release == NULL)\n{\n exit(0);\n}\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"openssl-debuginfo\", rpm:\"openssl-debuginfo~1.0.1k~1.82.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~1.0.1k~1.82.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~1.0.1k~1.82.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~1.0.1k~1.82.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"openssl-static\", rpm:\"openssl-static~1.0.1k~1.82.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99); #Not vulnerable\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:52:59", "references": ["http://lists.centos.org/pipermail/centos-announce/2015-January/020884.html", "2015:0066"], "pluginID": "1361412562310882101", "description": "Check the version of openssl", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-01-23T00:00:00", "title": "CentOS Update for openssl CESA-2015:0066 centos6 ", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310882101", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882101", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssl CESA-2015:0066 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882101\");\n script_version(\"$Revision: 6657 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:50:44 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-23 12:57:35 +0100 (Fri, 23 Jan 2015)\");\n script_cve_id(\"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\", \"CVE-2014-8275\", \"CVE-2015-0204\", \"CVE-2015-0205\", \"CVE-2015-0206\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"CentOS Update for openssl CESA-2015:0066 centos6 \");\n script_tag(name: \"summary\", value: \"Check the version of openssl\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),\nTransport Layer Security (TLS), and Datagram Transport Layer Security\n(DTLS) protocols, as well as a full-strength, general purpose cryptography\nlibrary.\n\nA NULL pointer dereference flaw was found in the DTLS implementation of\nOpenSSL. A remote attacker could send a specially crafted DTLS message,\nwhich would cause an OpenSSL server to crash. (CVE-2014-3571)\n\nA memory leak flaw was found in the way the dtls1_buffer_record() function\nof OpenSSL parsed certain DTLS messages. A remote attacker could send\nmultiple specially crafted DTLS messages to exhaust all available memory of\na DTLS server. (CVE-2015-0206)\n\nIt was found that OpenSSL's BigNumber Squaring implementation could produce\nincorrect results under certain special conditions. This flaw could\npossibly affect certain OpenSSL library functionality, such as RSA\nblinding. Note that this issue occurred rarely and with a low probability,\nand there is currently no known way of exploiting it. (CVE-2014-3570)\n\nIt was discovered that OpenSSL would perform an ECDH key exchange with a\nnon-ephemeral key even when the ephemeral ECDH cipher suite was selected.\nA malicious server could make a TLS/SSL client using OpenSSL use a weaker\nkey exchange method than the one requested by the user. (CVE-2014-3572)\n\nIt was discovered that OpenSSL would accept ephemeral RSA keys when using\nnon-export RSA cipher suites. A malicious server could make a TLS/SSL\nclient using OpenSSL use a weaker key exchange method. (CVE-2015-0204)\n\nMultiple flaws were found in the way OpenSSL parsed X.509 certificates.\nAn attacker could use these flaws to modify an X.509 certificate to produce\na certificate with a different fingerprint without invalidating its\nsignature, and possibly bypass fingerprint-based blacklisting in\napplications. (CVE-2014-8275)\n\nIt was found that an OpenSSL server would, under certain conditions, accept\nDiffie-Hellman client certificates without the use of a private key.\nAn attacker could use a user's client certificate to authenticate as that\nuser, without needing the private key. (CVE-2015-0205)\n\nAll OpenSSL users are advised to upgrade to these updated packages, which\ncontain a backported patch to mitigate the above issues. For the update to\ntake effect, all services linked to the OpenSSL library (such as httpd and\nother SSL-enabled services) must be restarted or the system rebooted.\n\");\n script_tag(name: \"affected\", value: \"openssl on CentOS 6\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"CESA\", value: \"2015:0066\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-announce/2015-January/020884.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~1.0.1e~30.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~1.0.1e~30.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~1.0.1e~30.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-static\", rpm:\"openssl-static~1.0.1e~30.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:50:42", "references": ["2015:0800-01", "https://www.redhat.com/archives/rhsa-announce/2015-April/msg00016.html"], "pluginID": "1361412562310871353", "description": "Check the version of openssl", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-04-14T00:00:00", "title": "RedHat Update for openssl RHSA-2015:0800-01", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0288", "CVE-2014-8275", "CVE-2015-0293", "CVE-2015-0204", "CVE-2015-0287", "CVE-2015-0289", "CVE-2015-0292"], "modified": "2017-07-12T00:00:00", "id": "OPENVAS:1361412562310871353", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871353", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssl RHSA-2015:0800-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871353\");\n script_version(\"$Revision: 6689 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:50:06 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-14 07:17:13 +0200 (Tue, 14 Apr 2015)\");\n script_cve_id(\"CVE-2014-8275\", \"CVE-2015-0204\", \"CVE-2015-0287\", \"CVE-2015-0288\",\n \"CVE-2015-0289\", \"CVE-2015-0292\", \"CVE-2015-0293\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for openssl RHSA-2015:0800-01\");\n script_tag(name: \"summary\", value: \"Check the version of openssl\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nIt was discovered that OpenSSL would accept ephemeral RSA keys when using\nnon-export RSA cipher suites. A malicious server could make a TLS/SSL\nclient using OpenSSL use a weaker key exchange method. (CVE-2015-0204)\n\nAn integer underflow flaw, leading to a buffer overflow, was found in the\nway OpenSSL decoded malformed Base64-encoded inputs. An attacker able to\nmake an application using OpenSSL decode a specially crafted Base64-encoded\ninput (such as a PEM file) could use this flaw to cause the application to\ncrash. Note: this flaw is not exploitable via the TLS/SSL protocol because\nthe data being transferred is not Base64-encoded. (CVE-2015-0292)\n\nA denial of service flaw was found in the way OpenSSL handled SSLv2\nhandshake messages. A remote attacker could use this flaw to cause a\nTLS/SSL server using OpenSSL to exit on a failed assertion if it had both\nthe SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293)\n\nMultiple flaws were found in the way OpenSSL parsed X.509 certificates.\nAn attacker could use these flaws to modify an X.509 certificate to produce\na certificate with a different fingerprint without invalidating its\nsignature, and possibly bypass fingerprint-based blacklisting in\napplications. (CVE-2014-8275)\n\nAn out-of-bounds write flaw was found in the way OpenSSL reused certain\nASN.1 structures. A remote attacker could possibly use a specially crafted\nASN.1 structure that, when parsed by an application, would cause that\napplication to crash. (CVE-2015-0287)\n\nA NULL pointer dereference flaw was found in OpenSSL's X.509 certificate\nhandling implementation. A specially crafted X.509 certificate could cause\nan application using OpenSSL to crash if the application attempted to\nconvert the certificate to a certificate request. (CVE-2015-0288)\n\nA NULL pointer dereference was found in the way OpenSSL handled certain\nPKCS#7 inputs. An attacker able to make an application using OpenSSL\nverify, decrypt, or parse a specially crafted PKCS#7 input could cause that\napplication to crash. TLS/SSL clients and servers using OpenSSL were not\naffected by this flaw. (CVE-2015-0289)\n\nRed Hat would like to thank the OpenSSL project for reporting\nCVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and\nCVE-2015-0293. Upstream acknowledges Emilia Kasper of the OpenSSL\ndevelopment team as the original reporter of CVE-2015-0287, Brian Carpenter\nas the original reporter ...\n\n Description truncated, for more information please check the Reference URL\");\n script_tag(name: \"affected\", value: \"openssl on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"RHSA\", value: \"2015:0800-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2015-April/msg00016.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~0.9.8e~33.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-debuginfo\", rpm:\"openssl-debuginfo~0.9.8e~33.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~0.9.8e~33.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~0.9.8e~33.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:50:51", "references": ["http://linux.oracle.com/errata/ELSA-2015-0066.html"], "pluginID": "1361412562310123203", "description": "Oracle Linux Local Security Checks ELSA-2015-0066", "edition": 5, "reporter": "Eero Volotinen", "published": "2015-10-06T00:00:00", "title": "Oracle Linux Local Check: ELSA-2015-0066", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2017-07-06T00:00:00", "id": "OPENVAS:1361412562310123203", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123203", "sourceData": "# OpenVAS Vulnerability Test \n# Description: Oracle Linux Local Check \n# $Id: ELSA-2015-0066.nasl 6560 2017-07-06 11:58:38Z cfischer $\n \n# Authors: \n# Eero Volotinen <eero.volotinen@solinor.com> \n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.123203\");\nscript_version(\"$Revision: 6560 $\");\nscript_tag(name:\"creation_date\", value:\"2015-10-06 14:00:40 +0300 (Tue, 06 Oct 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 13:58:38 +0200 (Thu, 06 Jul 2017) $\");\nscript_name(\"Oracle Linux Local Check: ELSA-2015-0066\");\nscript_tag(name: \"insight\", value: \"ELSA-2015-0066 - openssl security update - [1.0.1e-34.7]- fix CVE-2014-3570 - incorrect computation in BN_sqr()- fix CVE-2014-3571 - possible crash in dtls1_get_record()- fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state- fix CVE-2014-8275 - various certificate fingerprint issues- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export ciphersuites and on server- fix CVE-2015-0205 - do not allow unauthenticated client DH certificate- fix CVE-2015-0206 - possible memory leak when buffering DTLS records\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_tag(name : \"summary\", value : \"Oracle Linux Local Security Checks ELSA-2015-0066\");\nscript_xref(name : \"URL\" , value : \"http://linux.oracle.com/errata/ELSA-2015-0066.html\");\nscript_cve_id(\"CVE-2014-3570\",\"CVE-2014-3571\",\"CVE-2014-3572\",\"CVE-2014-8275\",\"CVE-2015-0204\",\"CVE-2015-0205\",\"CVE-2015-0206\");\nscript_tag(name:\"cvss_base\", value:\"5.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\");\nscript_category(ACT_GATHER_INFO);\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Oracle Linux Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\nrelease = get_kb_item(\"ssh/login/release\");\nres = \"\";\nif(release == NULL)\n{\n exit(0);\n}\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~1.0.1e~34.el7_0.7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~1.0.1e~34.el7_0.7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-libs\", rpm:\"openssl-libs~1.0.1e~34.el7_0.7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~1.0.1e~34.el7_0.7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-static\", rpm:\"openssl-static~1.0.1e~34.el7_0.7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~1.0.1e~30.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~1.0.1e~30.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~1.0.1e~30.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"openssl-static\", rpm:\"openssl-static~1.0.1e~30.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif (__pkg_match) exit(99); #Not vulnerable\n exit(0);\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:46:30", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl"], "pluginID": "1361412562310105679", "description": "Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:\n\n CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability\n CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability\n CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability\n CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability\n CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability\n CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability\n CVE-2014-8275: OpenSSL Certificate Fingerprint Validation Vulnerability\n CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical Results Issue\n\nCisco will release software updates that address these vulnerabilities.\n\nWorkarounds that mitigate these vulnerabilities may be available.\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl", "edition": 3, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-05-10T00:00:00", "title": "Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CISCO", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2017-03-28T00:00:00", "id": "OPENVAS:1361412562310105679", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105679", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ios_xe_cisco-sa-20150310-ssl.nasl 5745 2017-03-28 09:01:00Z teissa $\n#\n# Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:cisco:ios_xe\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105679\");\n script_cve_id(\"CVE-2014-3571\",\"CVE-2015-0206\",\"CVE-2014-3569\",\"CVE-2014-3572\",\"CVE-2015-0204\",\"CVE-2015-0205\",\"CVE-2014-8275\",\"CVE-2014-3570\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version (\"$Revision: 5745 $\");\n\n script_name(\"Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl\");\n \n\n script_tag(name: \"vuldetect\" , value:\"Check the version.\");\n\n script_tag(name: \"solution\" , value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name: \"summary\" , value:\"Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:\n\n CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability\n CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability\n CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability\n CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability\n CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability\n CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability\n CVE-2014-8275: OpenSSL Certificate Fingerprint Validation Vulnerability\n CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical Results Issue\n\nCisco will release software updates that address these vulnerabilities.\n\nWorkarounds that mitigate these vulnerabilities may be available.\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-28 11:01:00 +0200 (Tue, 28 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-10 10:55:20 +0200 (Tue, 10 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ios_xe_version.nasl\");\n script_mandatory_keys(\"cisco_ios_xe/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list( \n\t\t'3.3.0S',\n\t\t'3.3.1S',\n\t\t'3.3.2S',\n\t\t'3.4.0S',\n\t\t'3.4.1S',\n\t\t'3.4.2S',\n\t\t'3.4.3S',\n\t\t'3.4.4S',\n\t\t'3.4.5S',\n\t\t'3.4.6S',\n\t\t'3.5.0S',\n\t\t'3.5.1S',\n\t\t'3.5.2S',\n\t\t'3.6.0S',\n\t\t'3.6.1S',\n\t\t'3.6.2S',\n\t\t'3.7.0S',\n\t\t'3.7.1S',\n\t\t'3.7.2S',\n\t\t'3.7.3S',\n\t\t'3.7.4S',\n\t\t'3.7.5S',\n\t\t'3.7.6S',\n\t\t'3.8.0S',\n\t\t'3.8.1S',\n\t\t'3.8.2S',\n\t\t'3.9.0S',\n\t\t'3.9.1S',\n\t\t'3.9.2S' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:52:38", "references": ["http://www.debian.org/security/2015/dsa-3125.html"], "pluginID": "703125", "description": "Multiple vulnerabilities have been\ndiscovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities\nand Exposures project identifies the following issues:\n\nCVE-2014-3569\nFrank Schmirler reported that the ssl23_get_client_hello function in\nOpenSSL does not properly handle attempts to use unsupported\nprotocols. When OpenSSL is built with the no-ssl3 option and a SSL\nv3 ClientHello is received, the ssl method would be set to NULL which\ncould later result in a NULL pointer dereference and daemon crash.\n\nCVE-2014-3570\nPieter Wuille of Blockstream reported that the bignum squaring\n(BN_sqr) may produce incorrect results on some platforms, which\nmight make it easier for remote attackers to defeat cryptographic\nprotection mechanisms.\n\nCVE-2014-3571\nMarkus Stenberg of Cisco Systems, Inc. reported that a carefully\ncrafted DTLS message can cause a segmentation fault in OpenSSL due\nto a NULL pointer dereference. A remote attacker could use this flaw\nto mount a denial of service attack.\n\nCVE-2014-3572\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL client would accept a handshake using an ephemeral ECDH\nciphersuite if the server key exchange message is omitted. This\nallows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks\nand trigger a loss of forward secrecy.\n\nCVE-2014-8275\nAntti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project\nand Konrad Kraszewski of Google reported various certificate\nfingerprint issues, which allow remote attackers to defeat a\nfingerprint-based certificate-blacklist protection mechanism.\n\nCVE-2015-0204\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that\nan OpenSSL client will accept the use of an ephemeral RSA key in a\nnon-export RSA key exchange ciphersuite, violating the TLS\nstandard. This allows remote SSL servers to downgrade the security\nof the session.\n\nCVE-2015-0205\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL server will accept a DH certificate for client\nauthentication without the certificate verify message. This flaw\neffectively allows a client to authenticate without the use of a\nprivate key via crafted TLS handshake protocol traffic to a server\nthat recognizes a certification authority with DH support.\n\nCVE-2015-0206\nChris Mueller discovered a memory leak in the dtls1_buffer_record\nfunction. A remote attacker could exploit this flaw to mount a\ndenial of service through memory exhaustion by repeatedly sending\nspecially crafted DTLS records.", "edition": 3, "reporter": "Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net", "published": "2015-01-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Debian Security Advisory DSA 3125-1 (openssl - security update)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703125", "id": "OPENVAS:703125", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3125.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3125-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703125);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2014-3569\", \"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\",\n \"CVE-2014-8275\", \"CVE-2015-0204\", \"CVE-2015-0205\", \"CVE-2015-0206\");\n script_name(\"Debian Security Advisory DSA 3125-1 (openssl - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-01-11 00:00:00 +0100 (Sun, 11 Jan 2015)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3125.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"openssl on Debian Linux\");\n script_tag(name: \"insight\", value: \"This package contains the openssl binary and related tools.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthese problems have been fixed in version 1.0.1e-2+deb7u14.\n\nFor the upcoming stable distribution (jessie), these problems will be\nfixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.0.1k-1.\n\nWe recommend that you upgrade your openssl packages.\");\n script_tag(name: \"summary\", value: \"Multiple vulnerabilities have been\ndiscovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities\nand Exposures project identifies the following issues:\n\nCVE-2014-3569\nFrank Schmirler reported that the ssl23_get_client_hello function in\nOpenSSL does not properly handle attempts to use unsupported\nprotocols. When OpenSSL is built with the no-ssl3 option and a SSL\nv3 ClientHello is received, the ssl method would be set to NULL which\ncould later result in a NULL pointer dereference and daemon crash.\n\nCVE-2014-3570\nPieter Wuille of Blockstream reported that the bignum squaring\n(BN_sqr) may produce incorrect results on some platforms, which\nmight make it easier for remote attackers to defeat cryptographic\nprotection mechanisms.\n\nCVE-2014-3571\nMarkus Stenberg of Cisco Systems, Inc. reported that a carefully\ncrafted DTLS message can cause a segmentation fault in OpenSSL due\nto a NULL pointer dereference. A remote attacker could use this flaw\nto mount a denial of service attack.\n\nCVE-2014-3572\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL client would accept a handshake using an ephemeral ECDH\nciphersuite if the server key exchange message is omitted. This\nallows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks\nand trigger a loss of forward secrecy.\n\nCVE-2014-8275\nAntti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project\nand Konrad Kraszewski of Google reported various certificate\nfingerprint issues, which allow remote attackers to defeat a\nfingerprint-based certificate-blacklist protection mechanism.\n\nCVE-2015-0204\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that\nan OpenSSL client will accept the use of an ephemeral RSA key in a\nnon-export RSA key exchange ciphersuite, violating the TLS\nstandard. This allows remote SSL servers to downgrade the security\nof the session.\n\nCVE-2015-0205\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL server will accept a DH certificate for client\nauthentication without the certificate verify message. This flaw\neffectively allows a client to authenticate without the use of a\nprivate key via crafted TLS handshake protocol traffic to a server\nthat recognizes a certification authority with DH support.\n\nCVE-2015-0206\nChris Mueller discovered a memory leak in the dtls1_buffer_record\nfunction. A remote attacker could exploit this flaw to mount a\ndenial of service through memory exhaustion by repeatedly sending\nspecially crafted DTLS records.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libssl-dev\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl-doc\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl1.0.0\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl1.0.0-dbg\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openssl\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:50:30", "references": ["2459-1", "http://www.ubuntu.com/usn/usn-2459-1/"], "pluginID": "1361412562310842062", "description": "Check the version of openssl", "edition": 8, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-01-23T00:00:00", "title": "Ubuntu Update for openssl USN-2459-1", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2018-08-17T00:00:00", "id": "OPENVAS:1361412562310842062", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842062", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for openssl USN-2459-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842062\");\n script_version(\"$Revision: 11037 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-17 13:51:16 +0200 (Fri, 17 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-23 12:58:57 +0100 (Fri, 23 Jan 2015)\");\n script_cve_id(\"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\", \"CVE-2014-8275\",\n \"CVE-2015-0204\", \"CVE-2015-0205\", \"CVE-2015-0206\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Ubuntu Update for openssl USN-2459-1\");\n script_tag(name:\"summary\", value:\"Check the version of openssl\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Pieter Wuille discovered that OpenSSL\nincorrectly handled Bignum squaring. (CVE-2014-3570)\n\nMarkus Stenberg discovered that OpenSSL incorrectly handled certain crafted\nDTLS messages. A remote attacker could use this issue to cause OpenSSL to\ncrash, resulting in a denial of service. (CVE-2014-3571)\n\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain\nhandshakes. A remote attacker could possibly use this issue to downgrade to\nECDH, removing forward secrecy from the ciphersuite. (CVE-2014-3572)\n\nAntti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that\nOpenSSL incorrectly handled certain certificate fingerprints. A remote\nattacker could possibly use this issue to trick certain applications that\nrely on the uniqueness of fingerprints. (CVE-2014-8275)\n\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain\nkey exchanges. A remote attacker could possibly use this issue to downgrade\nthe security of the session to EXPORT_RSA. (CVE-2015-0204)\n\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled client\nauthentication. A remote attacker could possibly use this issue to\nauthenticate without the use of a private key in certain limited scenarios.\nThis issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0205)\n\nChris Mueller discovered that OpenSSL incorrect handled memory when\nprocessing DTLS records. A remote attacker could use this issue to cause\nOpenSSL to consume resources, resulting in a denial of service. This issue\nonly affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10.\n(CVE-2015-0206)\");\n script_tag(name:\"affected\", value:\"openssl on Ubuntu 14.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2459-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2459-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.10|14\\.04 LTS|12\\.04 LTS|10\\.04 LTS)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU14.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libssl1.0.0:amd64\", ver:\"1.0.1f-1ubuntu9.1\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libssl1.0.0:i386\", ver:\"1.0.1f-1ubuntu9.1\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libssl1.0.0:amd64\", ver:\"1.0.1f-1ubuntu2.8\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libssl1.0.0:i386\", ver:\"1.0.1f-1ubuntu2.8\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libssl1.0.0\", ver:\"1.0.1-4ubuntu5.21\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libssl0.9.8\", ver:\"0.9.8k-7ubuntu8.23\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:51:13", "references": ["2015:0130_1"], "pluginID": "1361412562310850630", "description": "Check the version of openssl", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-01-24T00:00:00", "title": "SuSE Update for openssl openSUSE-SU-2015:0130-1 (openssl)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310850630", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850630", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_0130_1.nasl 8046 2017-12-08 08:48:56Z santu $\n#\n# SuSE Update for openssl openSUSE-SU-2015:0130-1 (openssl)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850630\");\n script_version(\"$Revision: 8046 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:48:56 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-24 05:48:38 +0100 (Sat, 24 Jan 2015)\");\n script_cve_id(\"CVE-2014-3569\", \"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\", \"CVE-2014-8275\", \"CVE-2015-0204\", \"CVE-2015-0205\", \"CVE-2015-0206\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"SuSE Update for openssl openSUSE-SU-2015:0130-1 (openssl)\");\n script_tag(name: \"summary\", value: \"Check the version of openssl\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"\n openssl was updated to 1.0.1k to fix various security issues and bugs.\n\n More information can be found in the openssl advisory:\n <a rel='nofollow' href='http://openssl.org/news/secadv_20150108.txt'>http://openssl.org/news/secadv_20150108.txt\n\n Following issues were fixed:\n\n * CVE-2014-3570 (bsc#912296): Bignum squaring (BN_sqr) may have produced\n incorrect results on some platforms, including x86_64.\n\n * CVE-2014-3571 (bsc#912294): Fixed crash in dtls1_get_record whilst in\n the listen state where you get two separate reads performed - one for\n the header and one for the body of the handshake record.\n\n * CVE-2014-3572 (bsc#912015): Don't accept a handshake using an ephemeral\n ECDH ciphersuites with the server key exchange message omitted.\n\n * CVE-2014-8275 (bsc#912018): Fixed various certificate fingerprint issues.\n\n * CVE-2015-0204 (bsc#912014): Only allow ephemeral RSA keys in export\n ciphersuites\n\n * CVE-2015-0205 (bsc#912293): A fixwas added to prevent use of DH client\n certificates without sending certificate verify message.\n\n * CVE-2015-0206 (bsc#912292): A memory leak was fixed in\n dtls1_buffer_record.\");\n script_tag(name: \"affected\", value: \"openssl on openSUSE 13.1\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"openSUSE-SU\", value: \"2015:0130_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE13.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libopenssl-devel\", rpm:\"libopenssl-devel~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libopenssl1_0_0\", rpm:\"libopenssl1_0_0~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libopenssl1_0_0-debuginfo\", rpm:\"libopenssl1_0_0-debuginfo~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-debuginfo\", rpm:\"openssl-debuginfo~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-debugsource\", rpm:\"openssl-debugsource~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libopenssl-devel-32bit\", rpm:\"libopenssl-devel-32bit~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libopenssl1_0_0-32bit\", rpm:\"libopenssl1_0_0-32bit~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libopenssl1_0_0-debuginfo-32bit\", rpm:\"libopenssl1_0_0-debuginfo-32bit~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssl-doc\", rpm:\"openssl-doc~1.0.1k~11.64.2\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:50:55", "references": ["http://www.debian.org/security/2015/dsa-3125.html"], "pluginID": "1361412562310703125", "description": "Multiple vulnerabilities have been\ndiscovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities\nand Exposures project identifies the following issues:\n\nCVE-2014-3569\nFrank Schmirler reported that the ssl23_get_client_hello function in\nOpenSSL does not properly handle attempts to use unsupported\nprotocols. When OpenSSL is built with the no-ssl3 option and a SSL\nv3 ClientHello is received, the ssl method would be set to NULL which\ncould later result in a NULL pointer dereference and daemon crash.\n\nCVE-2014-3570\nPieter Wuille of Blockstream reported that the bignum squaring\n(BN_sqr) may produce incorrect results on some platforms, which\nmight make it easier for remote attackers to defeat cryptographic\nprotection mechanisms.\n\nCVE-2014-3571\nMarkus Stenberg of Cisco Systems, Inc. reported that a carefully\ncrafted DTLS message can cause a segmentation fault in OpenSSL due\nto a NULL pointer dereference. A remote attacker could use this flaw\nto mount a denial of service attack.\n\nCVE-2014-3572\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL client would accept a handshake using an ephemeral ECDH\nciphersuite if the server key exchange message is omitted. This\nallows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks\nand trigger a loss of forward secrecy.\n\nCVE-2014-8275\nAntti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project\nand Konrad Kraszewski of Google reported various certificate\nfingerprint issues, which allow remote attackers to defeat a\nfingerprint-based certificate-blacklist protection mechanism.\n\nCVE-2015-0204\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that\nan OpenSSL client will accept the use of an ephemeral RSA key in a\nnon-export RSA key exchange ciphersuite, violating the TLS\nstandard. This allows remote SSL servers to downgrade the security\nof the session.\n\nCVE-2015-0205\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL server will accept a DH certificate for client\nauthentication without the certificate verify message. This flaw\neffectively allows a client to authenticate without the use of a\nprivate key via crafted TLS handshake protocol traffic to a server\nthat recognizes a certification authority with DH support.\n\nCVE-2015-0206\nChris Mueller discovered a memory leak in the dtls1_buffer_record\nfunction. A remote attacker could exploit this flaw to mount a\ndenial of service through memory exhaustion by repeatedly sending\nspecially crafted DTLS records.", "edition": 3, "reporter": "Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net", "published": "2015-01-11T00:00:00", "title": "Debian Security Advisory DSA 3125-1 (openssl - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310703125", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703125", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3125.nasl 9355 2018-04-06 07:16:07Z cfischer $\n# Auto-generated from advisory DSA 3125-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703125\");\n script_version(\"$Revision: 9355 $\");\n script_cve_id(\"CVE-2014-3569\", \"CVE-2014-3570\", \"CVE-2014-3571\", \"CVE-2014-3572\",\n \"CVE-2014-8275\", \"CVE-2015-0204\", \"CVE-2015-0205\", \"CVE-2015-0206\");\n script_name(\"Debian Security Advisory DSA 3125-1 (openssl - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2018-04-06 09:16:07 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value: \"2015-01-11 00:00:00 +0100 (Sun, 11 Jan 2015)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3125.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"openssl on Debian Linux\");\n script_tag(name: \"insight\", value: \"This package contains the openssl binary and related tools.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthese problems have been fixed in version 1.0.1e-2+deb7u14.\n\nFor the upcoming stable distribution (jessie), these problems will be\nfixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.0.1k-1.\n\nWe recommend that you upgrade your openssl packages.\");\n script_tag(name: \"summary\", value: \"Multiple vulnerabilities have been\ndiscovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities\nand Exposures project identifies the following issues:\n\nCVE-2014-3569\nFrank Schmirler reported that the ssl23_get_client_hello function in\nOpenSSL does not properly handle attempts to use unsupported\nprotocols. When OpenSSL is built with the no-ssl3 option and a SSL\nv3 ClientHello is received, the ssl method would be set to NULL which\ncould later result in a NULL pointer dereference and daemon crash.\n\nCVE-2014-3570\nPieter Wuille of Blockstream reported that the bignum squaring\n(BN_sqr) may produce incorrect results on some platforms, which\nmight make it easier for remote attackers to defeat cryptographic\nprotection mechanisms.\n\nCVE-2014-3571\nMarkus Stenberg of Cisco Systems, Inc. reported that a carefully\ncrafted DTLS message can cause a segmentation fault in OpenSSL due\nto a NULL pointer dereference. A remote attacker could use this flaw\nto mount a denial of service attack.\n\nCVE-2014-3572\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL client would accept a handshake using an ephemeral ECDH\nciphersuite if the server key exchange message is omitted. This\nallows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks\nand trigger a loss of forward secrecy.\n\nCVE-2014-8275\nAntti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project\nand Konrad Kraszewski of Google reported various certificate\nfingerprint issues, which allow remote attackers to defeat a\nfingerprint-based certificate-blacklist protection mechanism.\n\nCVE-2015-0204\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that\nan OpenSSL client will accept the use of an ephemeral RSA key in a\nnon-export RSA key exchange ciphersuite, violating the TLS\nstandard. This allows remote SSL servers to downgrade the security\nof the session.\n\nCVE-2015-0205\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an\nOpenSSL server will accept a DH certificate for client\nauthentication without the certificate verify message. This flaw\neffectively allows a client to authenticate without the use of a\nprivate key via crafted TLS handshake protocol traffic to a server\nthat recognizes a certification authority with DH support.\n\nCVE-2015-0206\nChris Mueller discovered a memory leak in the dtls1_buffer_record\nfunction. A remote attacker could exploit this flaw to mount a\ndenial of service through memory exhaustion by repeatedly sending\nspecially crafted DTLS records.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libssl-dev\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl-doc\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl1.0.0\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl1.0.0-dbg\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openssl\", ver:\"1.0.1e-2+deb7u14\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-08-31T01:38:56", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "0.9.8o-4squeeze19", "arch": "all", "packageFilename": "openssl_0.9.8o-4squeeze19_all.deb", "packageName": "openssl", "operator": "lt"}], "description": "Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:\n\n * [CVE-2014-3570](<https://security-tracker.debian.org/tracker/CVE-2014-3570>)\n\nPieter Wuille of Blockstream reported that the bignum squaring (BN_sqr) may produce incorrect results on some platforms, which might make it easier for remote attackers to defeat cryptographic protection mechanisms.\n\n * [CVE-2014-3571](<https://security-tracker.debian.org/tracker/CVE-2014-3571>)\n\nMarkus Stenberg of Cisco Systems, Inc. reported that a carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. A remote attacker could use this flaw to mount a denial of service attack.\n\n * [CVE-2014-3572](<https://security-tracker.debian.org/tracker/CVE-2014-3572>)\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL client would accept a handshake using an ephemeral ECDH ciphersuite if the server key exchange message is omitted. This allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy.\n\n * [CVE-2014-8275](<https://security-tracker.debian.org/tracker/CVE-2014-8275>)\n\nAntti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project and Konrad Kraszewski of Google reported various certificate fingerprint issues, which allow remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism.\n\n * [CVE-2015-0204](<https://security-tracker.debian.org/tracker/CVE-2015-0204>)\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL client will accept the use of an ephemeral RSA key in a non-export RSA key exchange ciphersuite, violating the TLS standard. This allows remote SSL servers to downgrade the security of the session.\n\nFor Debian 6 Squeeze, these issues have been fixed in openssl version 0.9.8o-4squeeze19", "edition": 2, "reporter": "Debian", "published": "2015-01-11T00:00:00", "title": "openssl -- LTS security update", "type": "debian", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204"], "modified": "2015-01-11T00:00:00", "id": "DLA-132", "href": "http://www.debian.org/security/2015/dla-132", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T01:36:34", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.0.1e-2+deb7u14", "arch": "all", "packageFilename": "openssl_1.0.1e-2+deb7u14_all.deb", "packageName": "openssl", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.0.1e-2+deb7u14", "arch": "all", "packageFilename": "libssl1.0.0-dbg_1.0.1e-2+deb7u14_all.deb", "packageName": "libssl1.0.0-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.0.1e-2+deb7u14", "arch": "all", "packageFilename": "libssl-dev_1.0.1e-2+deb7u14_all.deb", "packageName": "libssl-dev", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.0.1e-2+deb7u14", "arch": "all", "packageFilename": "libssl1.0.0_1.0.1e-2+deb7u14_all.deb", "packageName": "libssl1.0.0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.0.1e-2+deb7u14", "arch": "all", "packageFilename": "libssl-doc_1.0.1e-2+deb7u14_all.deb", "packageName": "libssl-doc", "operator": "lt"}], "description": "Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:\n\n * [CVE-2014-3569](<https://security-tracker.debian.org/tracker/CVE-2014-3569>)\n\nFrank Schmirler reported that the ssl23_get_client_hello function in OpenSSL does not properly handle attempts to use unsupported protocols. When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is received, the ssl method would be set to NULL which could later result in a NULL pointer dereference and daemon crash.\n\n * [CVE-2014-3570](<https://security-tracker.debian.org/tracker/CVE-2014-3570>)\n\nPieter Wuille of Blockstream reported that the bignum squaring (BN_sqr) may produce incorrect results on some platforms, which might make it easier for remote attackers to defeat cryptographic protection mechanisms.\n\n * [CVE-2014-3571](<https://security-tracker.debian.org/tracker/CVE-2014-3571>)\n\nMarkus Stenberg of Cisco Systems, Inc. reported that a carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. A remote attacker could use this flaw to mount a denial of service attack.\n\n * [CVE-2014-3572](<https://security-tracker.debian.org/tracker/CVE-2014-3572>)\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL client would accept a handshake using an ephemeral ECDH ciphersuite if the server key exchange message is omitted. This allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy.\n\n * [CVE-2014-8275](<https://security-tracker.debian.org/tracker/CVE-2014-8275>)\n\nAntti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project and Konrad Kraszewski of Google reported various certificate fingerprint issues, which allow remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism.\n\n * [CVE-2015-0204](<https://security-tracker.debian.org/tracker/CVE-2015-0204>)\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL client will accept the use of an ephemeral RSA key in a non-export RSA key exchange ciphersuite, violating the TLS standard. This allows remote SSL servers to downgrade the security of the session.\n\n * [CVE-2015-0205](<https://security-tracker.debian.org/tracker/CVE-2015-0205>)\n\nKarthikeyan Bhargavan of the PROSECCO team at INRIA reported that an OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This flaw effectively allows a client to authenticate without the use of a private key via crafted TLS handshake protocol traffic to a server that recognizes a certification authority with DH support.\n\n * [CVE-2015-0206](<https://security-tracker.debian.org/tracker/CVE-2015-0206>)\n\nChris Mueller discovered a memory leak in the dtls1_buffer_record function. A remote attacker could exploit this flaw to mount a denial of service through memory exhaustion by repeatedly sending specially crafted DTLS records.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u14.\n\nFor the upcoming stable distribution (jessie), these problems will be fixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1.0.1k-1.\n\nWe recommend that you upgrade your openssl packages.", "edition": 4, "reporter": "Debian", "published": "2015-01-11T00:00:00", "title": "openssl -- security update", "type": "debian", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-01-11T00:00:00", "id": "DSA-3125", "href": "http://www.debian.org/security/dsa-3125", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "centos": [{"lastseen": "2017-10-03T18:26:55", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0800.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-0.9.8e-33.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i386", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i386", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i386", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i386", "packageName": "openssl-perl", "packageFilename": "openssl-perl-0.9.8e-33.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "any", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.x86_64.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2015:0800\n\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nIt was discovered that OpenSSL would accept ephemeral RSA keys when using\nnon-export RSA cipher suites. A malicious server could make a TLS/SSL\nclient using OpenSSL use a weaker key exchange method. (CVE-2015-0204)\n\nAn integer underflow flaw, leading to a buffer overflow, was found in the\nway OpenSSL decoded malformed Base64-encoded inputs. An attacker able to\nmake an application using OpenSSL decode a specially crafted Base64-encoded\ninput (such as a PEM file) could use this flaw to cause the application to\ncrash. Note: this flaw is not exploitable via the TLS/SSL protocol because\nthe data being transferred is not Base64-encoded. (CVE-2015-0292)\n\nA denial of service flaw was found in the way OpenSSL handled SSLv2\nhandshake messages. A remote attacker could use this flaw to cause a\nTLS/SSL server using OpenSSL to exit on a failed assertion if it had both\nthe SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293)\n\nMultiple flaws were found in the way OpenSSL parsed X.509 certificates.\nAn attacker could use these flaws to modify an X.509 certificate to produce\na certificate with a different fingerprint without invalidating its\nsignature, and possibly bypass fingerprint-based blacklisting in\napplications. (CVE-2014-8275)\n\nAn out-of-bounds write flaw was found in the way OpenSSL reused certain\nASN.1 structures. A remote attacker could possibly use a specially crafted\nASN.1 structure that, when parsed by an application, would cause that\napplication to crash. (CVE-2015-0287)\n\nA NULL pointer dereference flaw was found in OpenSSL's X.509 certificate\nhandling implementation. A specially crafted X.509 certificate could cause\nan application using OpenSSL to crash if the application attempted to\nconvert the certificate to a certificate request. (CVE-2015-0288)\n\nA NULL pointer dereference was found in the way OpenSSL handled certain\nPKCS#7 inputs. An attacker able to make an application using OpenSSL\nverify, decrypt, or parse a specially crafted PKCS#7 input could cause that\napplication to crash. TLS/SSL clients and servers using OpenSSL were not\naffected by this flaw. (CVE-2015-0289)\n\nRed Hat would like to thank the OpenSSL project for reporting \nCVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and \nCVE-2015-0293. Upstream acknowledges Emilia Kasper of the OpenSSL \ndevelopment team as the original reporter of CVE-2015-0287, Brian Carpenter \nas the original reporter of CVE-2015-0288, Michal Zalewski of Google as the \noriginal reporter of CVE-2015-0289, Robert Dugal and David Ramos as the \noriginal reporters of CVE-2015-0292, and Sean Burford of Google and Emilia \nKasper of the OpenSSL development team as the original reporters of \nCVE-2015-0293.\n\nAll openssl users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. For the update to take\neffect, all services linked to the OpenSSL library must be restarted, or\nthe system rebooted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021064.html\n\n**Affected packages:**\nopenssl\nopenssl-devel\nopenssl-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0800.html", "edition": 1, "reporter": "CentOS Project", "published": "2015-04-14T11:25:52", "title": "openssl security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-0288", "CVE-2014-8275", "CVE-2015-0293", "CVE-2015-0204", "CVE-2016-0704", "CVE-2015-0287", "CVE-2016-0703", "CVE-2015-0289", "CVE-2015-0292"], "modified": "2015-04-14T11:25:52", "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021064.html", "id": "CESA-2015:0800", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-03T18:26:08", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0066.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm", "packageName": "openssl-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl-libs", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-1.0.1e-34.el7_0.7.i686.rpm", "packageName": "openssl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl-static", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm", "packageName": "openssl-static", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-1.0.1e-30.el6_6.5.src.rpm", "packageName": "openssl", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-perl-1.0.1e-34.el7_0.7.i686.rpm", "packageName": "openssl-perl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-1.0.1e-34.el7_0.7.src.rpm", "packageName": "openssl", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-1.0.1e-30.el6_6.5.x86_64.rpm", "packageName": "openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl-devel", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl-devel", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.i686.rpm", "packageName": "openssl-static", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-static-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl-static", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.5.i686.rpm", "packageName": "openssl-perl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.i686.rpm", "packageName": "openssl-libs", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm", "packageName": "openssl-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm", "packageName": "openssl-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.i686.rpm", "packageName": "openssl-devel", "arch": "i686", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2015:0066\n\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),\nTransport Layer Security (TLS), and Datagram Transport Layer Security\n(DTLS) protocols, as well as a full-strength, general purpose cryptography\nlibrary.\n\nA NULL pointer dereference flaw was found in the DTLS implementation of\nOpenSSL. A remote attacker could send a specially crafted DTLS message,\nwhich would cause an OpenSSL server to crash. (CVE-2014-3571)\n\nA memory leak flaw was found in the way the dtls1_buffer_record() function\nof OpenSSL parsed certain DTLS messages. A remote attacker could send\nmultiple specially crafted DTLS messages to exhaust all available memory of\na DTLS server. (CVE-2015-0206)\n\nIt was found that OpenSSL's BigNumber Squaring implementation could produce\nincorrect results under certain special conditions. This flaw could\npossibly affect certain OpenSSL library functionality, such as RSA\nblinding. Note that this issue occurred rarely and with a low probability,\nand there is currently no known way of exploiting it. (CVE-2014-3570)\n\nIt was discovered that OpenSSL would perform an ECDH key exchange with a\nnon-ephemeral key even when the ephemeral ECDH cipher suite was selected.\nA malicious server could make a TLS/SSL client using OpenSSL use a weaker\nkey exchange method than the one requested by the user. (CVE-2014-3572)\n\nIt was discovered that OpenSSL would accept ephemeral RSA keys when using\nnon-export RSA cipher suites. A malicious server could make a TLS/SSL\nclient using OpenSSL use a weaker key exchange method. (CVE-2015-0204)\n\nMultiple flaws were found in the way OpenSSL parsed X.509 certificates.\nAn attacker could use these flaws to modify an X.509 certificate to produce\na certificate with a different fingerprint without invalidating its\nsignature, and possibly bypass fingerprint-based blacklisting in\napplications. (CVE-2014-8275)\n\nIt was found that an OpenSSL server would, under certain conditions, accept\nDiffie-Hellman client certificates without the use of a private key.\nAn attacker could use a user's client certificate to authenticate as that\nuser, without needing the private key. (CVE-2015-0205)\n\nAll OpenSSL users are advised to upgrade to these updated packages, which\ncontain a backported patch to mitigate the above issues. For the update to\ntake effect, all services linked to the OpenSSL library (such as httpd and\nother SSL-enabled services) must be restarted or the system rebooted.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020884.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020885.html\n\n**Affected packages:**\nopenssl\nopenssl-devel\nopenssl-libs\nopenssl-perl\nopenssl-static\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0066.html", "edition": 1, "reporter": "CentOS Project", "published": "2015-01-20T21:00:39", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "openssl security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2015-01-20T21:13:20", "href": "http://lists.centos.org/pipermail/centos-announce/2015-January/020884.html", "id": "CESA-2015:0066", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "slackware": [{"lastseen": "2018-08-31T02:37:09", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "0.9.8zd", "arch": "i486", "packageFilename": "openssl-0.9.8zd-i486-1_slack13.1.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.0.1k", "arch": "x86_64", "packageFilename": "openssl-solibs-1.0.1k-x86_64-1_slack14.0.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "0.9.8zd", "arch": "x86_64", "packageFilename": "openssl-0.9.8zd-x86_64-1_slack13.0.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "0.9.8zd", "arch": "x86_64", "packageFilename": "openssl-0.9.8zd-x86_64-1_slack13.1.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "0.9.8zd", "arch": "i486", "packageFilename": "openssl-solibs-0.9.8zd-i486-1_slack13.37.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.0.1k", "arch": "i486", "packageFilename": "openssl-1.0.1k-i486-1_slack14.1.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "0.9.8zd", "arch": "i486", "packageFilename": "openssl-solibs-0.9.8zd-i486-1_slack13.0.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "0.9.8zd", "arch": "i486", "packageFilename": "openssl-solibs-0.9.8zd-i486-1_slack13.1.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.0.1k", "arch": "x86_64", "packageFilename": "openssl-solibs-1.0.1k-x86_64-1_slack14.1.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.0.1k", "arch": "i486", "packageFilename": "openssl-solibs-1.0.1k-i486-1_slack14.0.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.0.1k", "arch": "i486", "packageFilename": "openssl-1.0.1k-i486-1_slack14.0.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "0.9.8zd", "arch": "i486", "packageFilename": "openssl-0.9.8zd-i486-1_slack13.0.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "0.9.8zd", "arch": "x86_64", "packageFilename": "openssl-solibs-0.9.8zd-x86_64-1_slack13.0.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "0.9.8zd", "arch": "x86_64", "packageFilename": "openssl-solibs-0.9.8zd-x86_64-1_slack13.37.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "0.9.8zd", "arch": "i486", "packageFilename": "openssl-0.9.8zd-i486-1_slack13.37.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "0.9.8zd", "arch": "x86_64", "packageFilename": "openssl-solibs-0.9.8zd-x86_64-1_slack13.1.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.0.1k", "arch": "x86_64", "packageFilename": "openssl-1.0.1k-x86_64-1_slack14.0.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.0.1k", "arch": "i486", "packageFilename": "openssl-solibs-1.0.1k-i486-1_slack14.1.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "0.9.8zd", "arch": "x86_64", "packageFilename": "openssl-0.9.8zd-x86_64-1_slack13.37.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.0.1k", "arch": "x86_64", "packageFilename": "openssl-1.0.1k-x86_64-1_slack14.1.txz", "packageName": "openssl", "operator": "lt"}], "description": "New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/openssl-1.0.1k-i486-1_slack14.1.txz: Upgraded.\n This update fixes several security issues:\n DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)\n DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)\n no-ssl3 configuration sets method to NULL (CVE-2014-3569)\n ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)\n RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)\n DH client certificates accepted without verification [Server] (CVE-2015-0205)\n Certificate fingerprints can be modified (CVE-2014-8275)\n Bignum squaring may produce incorrect results (CVE-2014-3570)\n For more information, see:\n https://www.openssl.org/news/secadv_20150108.txt\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570\n (* Security fix *)\npatches/packages/openssl-solibs-1.0.1k-i486-1_slack14.1.txz: Upgraded.\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8zd-i486-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8zd-i486-1_slack13.0.txz\n\nUpdated packages for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8zd-x86_64-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8zd-x86_64-1_slack13.0.txz\n\nUpdated packages for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8zd-i486-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8zd-i486-1_slack13.1.txz\n\nUpdated packages for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8zd-x86_64-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8zd-x86_64-1_slack13.1.txz\n\nUpdated packages for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-0.9.8zd-i486-1_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-solibs-0.9.8zd-i486-1_slack13.37.txz\n\nUpdated packages for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-0.9.8zd-x86_64-1_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-solibs-0.9.8zd-x86_64-1_slack13.37.txz\n\nUpdated packages for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1k-i486-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1k-i486-1_slack14.0.txz\n\nUpdated packages for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1k-x86_64-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1k-x86_64-1_slack14.0.txz\n\nUpdated packages for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1k-i486-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1k-i486-1_slack14.1.txz\n\nUpdated packages for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1k-x86_64-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1k-x86_64-1_slack14.1.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1k-i486-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1k-i486-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1k-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1k-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 packages:\n7011638e44786670642a29b13adbb4cd openssl-0.9.8zd-i486-1_slack13.0.txz\n239cd5697b2633e68aae60f84728ec3d openssl-solibs-0.9.8zd-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 packages:\n953f3ea84349050f9075d69f190c4ef0 openssl-0.9.8zd-x86_64-1_slack13.0.txz\ne4cb8384a1a5fd0730f47b0d66844973 openssl-solibs-0.9.8zd-x86_64-1_slack13.0.txz\n\nSlackware 13.1 packages:\n60a91060b530795c3aec7776e559069b openssl-0.9.8zd-i486-1_slack13.1.txz\n25833ee7c47234dfc57333e4e6ac9516 openssl-solibs-0.9.8zd-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 packages:\n936f04a96087ac8b242fc468ab4902af openssl-0.9.8zd-x86_64-1_slack13.1.txz\n2e822308f12b71adbe1d63d3bb7dac44 openssl-solibs-0.9.8zd-x86_64-1_slack13.1.txz\n\nSlackware 13.37 packages:\n90d89193c9625543a0b22595ba6e6989 openssl-0.9.8zd-i486-1_slack13.37.txz\n83d2ba9b537949d5a882433c19232049 openssl-solibs-0.9.8zd-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 packages:\n644c8acaf2ea6f5ea6fd197ee3d367f9 openssl-0.9.8zd-x86_64-1_slack13.37.txz\nebbae4f2e239906132fddbc8cc1f64cb openssl-solibs-0.9.8zd-x86_64-1_slack13.37.txz\n\nSlackware 14.0 packages:\n4400c395a2de5b68e880a76092dadd47 openssl-1.0.1k-i486-1_slack14.0.txz\nb2455038898a8715310f4ab732c11f71 openssl-solibs-1.0.1k-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 packages:\nf912cf9ec0d25495b1534c61563541be openssl-1.0.1k-x86_64-1_slack14.0.txz\n4eeed382d27de024e4f9e69aec1c148d openssl-solibs-1.0.1k-x86_64-1_slack14.0.txz\n\nSlackware 14.1 packages:\n299f48c01718e425e44844f54b34199d openssl-1.0.1k-i486-1_slack14.1.txz\nca6b49bb17c602e6637edca5686afc10 openssl-solibs-1.0.1k-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 packages:\nb9071e68e60d598a85659df0519131c2 openssl-1.0.1k-x86_64-1_slack14.1.txz\na835c6471b1cf5b162afe0782a6384bc openssl-solibs-1.0.1k-x86_64-1_slack14.1.txz\n\nSlackware -current packages:\ncb7d3aa850b3cfe54abd1eb61c881cc7 a/openssl-solibs-1.0.1k-i486-1.txz\n00ae9f01693bf86a709fd79b0e8cd099 n/openssl-1.0.1k-i486-1.txz\n\nSlackware x86_64 -current packages:\n727887e756148bb1d28fa348804fcdb9 a/openssl-solibs-1.0.1k-x86_64-1.txz\n9c254936144f5aaaf8fe4eee033f5658 n/openssl-1.0.1k-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg openssl-1.0.1k-i486-1_slack14.1.txz openssl-solibs-1.0.1k-i486-1_slack14.1.txz", "edition": 3, "reporter": "Slackware Linux Project", "published": "2015-01-09T10:34:39", "title": "openssl", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-01-09T10:34:39", "id": "SSA-2015-009-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.782231", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:56", "references": [], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2459-1\r\nJanuary 12, 2015\r\n\r\nopenssl vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 14.10\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n- Ubuntu 10.04 LTS\r\n\r\nSummary:\r\n\r\nSeveral security issues were fixed in OpenSSL.\r\n\r\nSoftware Description:\r\n- openssl: Secure Socket Layer (SSL) cryptographic library and tools\r\n\r\nDetails:\r\n\r\nPieter Wuille discovered that OpenSSL incorrectly handled Bignum squaring.\r\n(CVE-2014-3570)\r\n\r\nMarkus Stenberg discovered that OpenSSL incorrectly handled certain crafted\r\nDTLS messages. A remote attacker could use this issue to cause OpenSSL to\r\ncrash, resulting in a denial of service. (CVE-2014-3571)\r\n\r\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain\r\nhandshakes. A remote attacker could possibly use this issue to downgrade to\r\nECDH, removing forward secrecy from the ciphersuite. (CVE-2014-3572)\r\n\r\nAntti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that\r\nOpenSSL incorrectly handled certain certificate fingerprints. A remote\r\nattacker could possibly use this issue to trick certain applications that\r\nrely on the uniqueness of fingerprints. (CVE-2014-8275)\r\n\r\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain\r\nkey exchanges. A remote attacker could possibly use this issue to downgrade\r\nthe security of the session to EXPORT_RSA. (CVE-2015-0204)\r\n\r\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled client\r\nauthentication. A remote attacker could possibly use this issue to\r\nauthenticate without the use of a private key in certain limited scenarios.\r\nThis issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0205)\r\n\r\nChris Mueller discovered that OpenSSL incorrect handled memory when\r\nprocessing DTLS records. A remote attacker could use this issue to cause\r\nOpenSSL to consume resources, resulting in a denial of service. This issue\r\nonly affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10.\r\n(CVE-2015-0206)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 14.10:\r\n libssl1.0.0 1.0.1f-1ubuntu9.1\r\n\r\nUbuntu 14.04 LTS:\r\n libssl1.0.0 1.0.1f-1ubuntu2.8\r\n\r\nUbuntu 12.04 LTS:\r\n libssl1.0.0 1.0.1-4ubuntu5.21\r\n\r\nUbuntu 10.04 LTS:\r\n libssl0.9.8 0.9.8k-7ubuntu8.23\r\n\r\nAfter a standard system update you need to reboot your computer to make\r\nall the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2459-1\r\n CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275,\r\n CVE-2015-0204, CVE-2015-0205, CVE-2015-0206\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu9.1\r\n https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.8\r\n https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.21\r\n https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.23\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-01-13T00:00:00", "title": "[USN-2459-1] OpenSSL vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:56", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2015-01-13T00:00:00", "id": "SECURITYVULNS:DOC:31591", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31591", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32492"], "description": "Information disclosure, DoS, unauthorized access, buffer overflow, privilege escalation, crossite scripting.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-09-14T00:00:00", "title": "HP Version Control Repository Manager multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:02", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "HP Version Control Repository Manager", "version": "7.4", "operator": "eq"}], "cvelist": ["CVE-2015-5411", "CVE-2015-5410", "CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-5413", "CVE-2015-0204", "CVE-2015-5412", "CVE-2015-5409", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-09-14T00:00:00", "id": "SECURITYVULNS:VULN:14678", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14678", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:01", "references": [], "description": "\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hpe.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04774021\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04774021\r\nVersion: 1\r\n\r\nHPSBMU03413 rev.1 - HP Virtual Connect Enterprise Manager SDK, Multiple\r\nVulnerabilities\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2015-08-24\r\nLast Updated: 2015-08-24\r\n\r\nPotential Security Impact: Remote Denial of Service (DoS), unauthorized\r\nmodification, unauthorized access, disclosure of information\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP Virtual\r\nConnect Enterprise Manager SDK. The vulnerabilities could be exploited\r\nremotely resulting in Denial of Service (DoS), unauthorized modification,\r\nunauthorized access, or disclosure of information.\r\n\r\nReferences:\r\n\r\nCVE-2014-3569\r\nCVE-2014-3570\r\nCVE-2014-3571\r\nCVE-2014-3572\r\nCVE-2014-8275\r\nCVE-2015-0204\r\nCVE-2015-0205\r\nCVE-2015-0206\r\nCVE-2015-0209\r\nCVE-2015-0286\r\nCVE-2015-0288\r\nCVE-2015-5432\r\nCVE-2015-5433\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Virtual Connect Enterprise Manager SDK prior to version 7.5.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\nCVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2015-0204 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3\r\nCVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0209 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0286 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3\r\nCVE-2015-0288 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-5432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\nCVE-2015-5433 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made software updates available to resolve the vulnerabilities for the\r\naffected versions of HP Virtual Connect Enterprise Manager SDK.\r\n\r\nPlease send mail to vcemsdksupportteam@hp.com to request an updated version\r\nof HP Virtual Connect Enterprise Manager SDK v7.5.0:\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 24 August 2015 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2015 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-09-14T00:00:00", "title": "[security bulletin] HPSBMU03413 rev.1 - HP Virtual Connect Enterprise Manager SDK, Multiple Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:01", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2015-0286", "CVE-2014-3571", "CVE-2015-5433", "CVE-2015-0288", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0209", "CVE-2015-5432", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-09-14T00:00:00", "id": "SECURITYVULNS:DOC:32493", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32493", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:01", "references": [], "description": "\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hpe.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04765115\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04765115\r\nVersion: 1\r\n\r\nHPSBMU03396 rev.1 - HP Version Control Repository Manager (VCRM) on Windows\r\nand Linux, Multiple Vulnerabilities\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2015-08-24\r\nLast Updated: 2015-08-24\r\n\r\nPotential Security Impact: Remote Denial of Service (DoS), execution of\r\narbitrary code, unauthorized modification, unauthorized access, disclosure of\r\ninformation, cross-site request forgery (CSRF), elevation of privilege\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP Version\r\nControl Repository Manager (VCRM) on Windows and Linux. The vulnerabilities\r\ncould be exploited remotely resulting in Denial of Service (DoS), execution\r\nof arbitrary code, unauthorized modification, unauthorized access, disclosure\r\nof information, cross-site request forgery (CSRF), or elevation of privilege.\r\n\r\nReferences:\r\n\r\nCVE-2014-3569 - Remote Denial of Service (DoS)\r\nCVE-2014-3570 - Remote Disclosure of Information\r\nCVE-2014-3571 - Remote Denial of Service (DoS)\r\nCVE-2014-3572 - Remote Disclosure of Information\r\nCVE-2014-8275 - Remote Unauthorized Modification\r\nCVE-2015-0204 - Remote Disclosure of Information\r\nCVE-2015-0205 - Remote Unauthorized Access\r\nCVE-2015-0206 - Remote Denial of Service (DoS)\r\nCVE-2015-5409 - Remote Buffer overflow\r\nCVE-2015-5410 - Remote Denial of Service (DoS), Unauthorized Access,\r\nExecution of Arbitrary Code, Unauthorized Modification\r\nCVE-2015-5411 - Remote Disclosure of Information\r\nCVE-2015-5412 - Cross-Site Request Forgery (CSRF)\r\nCVE-2015-5413 - Remote Elevation of Privilege\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Version Control Repository Manager (VCRM) prior to version 7.5.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\nCVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2015-0204 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3\r\nCVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-5409 (AV:L/AC:L/Au:S/C:N/I:P/A:C) 5.2\r\nCVE-2015-5410 (AV:L/AC:M/Au:S/C:N/I:P/A:C) 5.0\r\nCVE-2015-5411 (AV:L/AC:M/Au:S/C:C/I:N/A:N) 4.4\r\nCVE-2015-5412 (AV:L/AC:M/Au:S/C:P/I:C/A:N) 5.0\r\nCVE-2015-5413 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software updates available to resolve the\r\nvulnerabilities for the impacted versions of HP Version Control Repository\r\nManager (VCRM).\r\n\r\nPlease download the latest version of HP Version Control Repository Manager\r\n(VCRM).7.5.0 from the following locations:\r\n\r\nFor Windows:\r\n\r\nhttp://www.hp.com/swpublishing/MTX-20861d704bc04221a1518b7cb6\r\n\r\nFor Linux please install the latest version of HP Systems Insight Manager,\r\navailable from this location:\r\n\r\nhttp://h20566.www2.hpe.com/hpsc/doc/public/display?calledBy=Search_Result&doc\r\nId=emr_na-c04771934&docLocale=en_US\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 24 August 2015 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2015 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-09-14T00:00:00", "title": "[security bulletin] HPSBMU03396 rev.1 - HP Version Control Repository Manager (VCRM) on Windows and Linux, Multiple Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:01", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-5411", "CVE-2015-5410", "CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-5413", "CVE-2015-0204", "CVE-2015-5412", "CVE-2015-5409", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-09-14T00:00:00", "id": "SECURITYVULNS:DOC:32492", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32492", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:01", "references": [], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2015-081: RSA BSAFE\u00ae Micro Edition Suite, Crypto-C Micro Edition, Crypto-J, SSL-J and SSL-C Multiple Vulnerabilities\r\n\r\n\r\nEMC Identifier: ESA-2015-081\r\n \r\nCVE Identifier: CVE-2015-0533, CVE-2015-0534, CVE-2015-0535, CVE-2015-0536, CVE-2015-0537\r\n \r\nSeverity Rating: CVSS v2 Base Score: See below for individual scores for each CVE \r\n \r\nAffected Products: \r\nRSA BSAFE Micro Edition Suite (MES) all 4.1.x versions prior to 4.1.3\r\nRSA BSAFE Micro Edition Suite (MES) all 4.0.x versions prior to 4.0.8\r\nRSA BSAFE Crypto-C Micro Edition (Crypto-C ME) 4.1\r\nRSA BSAFE Crypto-C Micro Edition (Crypto-C ME) all versions prior to 4.0.4\r\nRSA BSAFE Crypto-J all versions prior to 6.2\r\nRSA BSAFE SSL-J all versions prior to 6.2\r\nRSA BSAFE SSL-C all versions including 2.8.9\r\n \r\nUnaffected Products:\r\nRSA BSAFE Micro Edition Suite (MES) 4.1.3\r\nRSA BSAFE Micro Edition Suite (MES) 4.0.8\r\nRSA BSAFE Crypto-C Micro Edition (Crypto-C ME) 4.0.4\r\nRSA BSAFE Crypto-J 6.2\r\nRSA BSAFE SSL-J 6.2\r\n \r\nSummary: \r\nRSA announces security fixes to RSA BSAFE\u00ae Micro Edition Suite, Crypto-C Micro Edition, Crypto-J and SSL-J designed to address multiple vulnerabilities. \r\n \r\nDetails: \r\nRSA BSAFE\u00ae Micro Edition Suite, Crypto-C Micro Edition, Crypto-J, SSL-J and SSL-C may be susceptible to the following potential vulnerabilities:\r\n \r\nCVE-2015-0533: ECDHE silently downgrades to ECDH [Client]\r\nWhen the RSA BSAFE MES or SSL-C implementation of the SSL/TLS protocol is used, it may allow remote attackers to successfully perform an SSL handshake using an ephemeral ECDH cipher suite with the server key exchange message omitted. This effectively removes forward secrecy from the cipher suite (similar to CVE-2014-3572).\r\nCVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)\r\nNote: Affects MES and SSL-C versions listed above.\r\n\r\nCVE-2015-0534: Certificate fingerprints can be modified\r\nRSA BSAFE MES, Crypto-J and SSL-C versions as listed above does not enforce certain constraints on certificate data, which potentially allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate\u2019s unsigned portion (similar to CVE-2014-8275).\r\nCVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)\r\nNote: Affects MES, Crypto-J, SSL-J and SSL-C versions listed above.\r\n\r\nCVE-2015-0535: The FREAK (Factoring RSA Export Keys) attack\r\nWhen the RSA BSAFE MES or SSL-C implementation of the SSL/TLS protocol is used, the attacker can potentially conduct RSA-to-EXPORT_RSA downgrade attacks against the client. The client would then accept the weak EXPORT-grade key, allowing the attacker to factor it and decrypt communication between the client and the server (similar to CVE-2015-0204).\r\nCVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nNote: Affects MES and SSL-C versions listed above.\r\n\r\nCVE-2015-0536: A denial of service with Empty CKE with client auth and DHE\r\nWhen the RSA BSAFE MES or SSL-C implementation of the SSL/TLS protocol is used, it might be possible for a remote attacker to cause a denial of service via a ClientKeyExchange message with a length of zero when client authentication and Ephemeral Diffie-Hellman cipher suites are enabled (similar to CVE-2015-1787).\r\nCVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)\r\nNote: Affects MES and SSL-C versions listed above.\r\n\r\nCVE-2015-0537: An integer underflow in Base64 decode implementation\r\nAn integer underflow in the base64-decoding implementation in RSA BSAFE MES, Crypto-C ME and SSL-C may allow remote attackers to cause a denial of service via a segmentation fault or an unexpected behavior via memory corruption (similar to CVE-2015-0292).\r\nCVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nNote: Affects MES, Crypto-C ME and SSL-C versions listed above.\r\nRecommendation:\r\nRSA BSAFE Micro Edition Suite (MES) 4.0.8 and 4.1.3 contains fixes for CVE-2015-0533, CVE-2015-0534, CVE-2015-0535, CVE-2015-0536, CVE-2015-0537\r\nRSA BSAFE Crypto-C Micro Edition (Crypto-C ME) 4.0.4 contains the fix for CVE-2015-0537.\r\nRSA BSAFE Crypto-J 6.2 contains the fix for CVE-2015-0534\r\nRSA BSAFE SSL-J 6.2 contains the fix for CVE-2015-0534\r\nRSA recommends all customers upgrade to the versions listed above at the earliest opportunity.\r\n \r\nThis advisory will be updated when the fixes are provided for RSA BSAFE Crypto-C ME 4.1.x series.\r\n \r\nRSA recommends all RSA BSAFE SSL-C customers upgrade to RSA BSAFE Micro Edition Suite (MES) as per previous notifications about the End Of Life (EOL) for BSAFE SSL-C.\r\nThe following workaround is available in BSAFE SSL-C 2.8.x for CVE-2015-0534:\r\nEnsure that the application does not perform blacklisting using the bytes of the entire certificate or a hash thereof.\r\nModify the blacklist comparison to use only the Issuer/Serial no. combination.\r\nObtaining Downloads:\r\nTo request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.emc.com/support/rsa/contact/index.htm) for most expedient service. \r\n\r\nObtaining Documentation:\r\nTo obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link.\r\n\r\nSeverity Rating:\r\nFor an explanation of Severity Ratings, refer to the Knowledge Base Article, \u201cSecurity Advisories Severity Rating\u201d at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\nObtaining More Information:\r\nFor more information about RSA products, visit the RSA web site at http://www.rsa.com.\r\n\r\nGetting Support and Service:\r\nFor customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab.\r\n\r\nGeneral Customer Support Information:\r\nhttp://www.emc.com/support/rsa/index.htm\r\n\r\nRSA SecurCare Online:\r\nhttps://knowledge.rsasecurity.com\r\n\r\nEOPS Policy:\r\nRSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. \r\nhttp://www.emc.com/support/rsa/eops/index.htm\r\n\r\nSecurCare Online Security Advisories\r\nRead and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1-800-995-5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.\r\n\r\nAbout RSA SecurCare Notes & Security Advisories Subscription\r\nRSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you\u2019d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you\u2019d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection.\r\n\r\nSincerely,\r\nRSA Customer Support\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlXR3AsACgkQtjd2rKp+ALx8kQCgp+wv+jfWF+UQEa+3FtGWlXKQ\r\nX94AnRVyInm3Nz1SMd2BAEsSNDlFyaGA\r\n=Wmc1\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-08-24T00:00:00", "title": "ESA-2015-081: RSA BSAFE\u00ae Micro Edition Suite, Crypto-C Micro Edition, Crypto-J, SSL-J and SSL-C Multiple Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:01", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0535", "CVE-2015-0533", "CVE-2015-0204", "CVE-2015-0534", "CVE-2015-0537", "CVE-2015-0292", "CVE-2015-1787", "CVE-2015-0536"], "modified": "2015-08-24T00:00:00", "id": "SECURITYVULNS:DOC:32423", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32423", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:58", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nAPPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004\r\n\r\nOS X Yosemite 10.10.3 and Security Update 2015-004 are now available\r\nand address the following:\r\n\r\nAdmin Framework\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A process may gain admin privileges without properly\r\nauthenticating\r\nDescription: An issue existed when checking XPC entitlements. This\r\nissue was addressed with improved entitlement checking.\r\nCVE-ID\r\nCVE-2015-1130 : Emil Kvarnhammar at TrueSec\r\n\r\napache\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: Multiple vulnerabilities in Apache\r\nDescription: Multiple vulnerabilities existed in Apache versions\r\nprior to 2.4.10 and 2.2.29, including one that may allow a remote\r\nattacker to execute arbitrary code. These issues were addressed by\r\nupdating Apache to versions 2.4.10 and 2.2.29\r\nCVE-ID\r\nCVE-2013-0118\r\nCVE-2013-5704\r\nCVE-2013-6438\r\nCVE-2014-0098\r\nCVE-2014-0117\r\nCVE-2014-0118\r\nCVE-2014-0226\r\nCVE-2014-0231\r\nCVE-2014-3523\r\n\r\nATS\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: Multiple input validation issues existed in fontd.\r\nThese issues were addressed through improved input validation.\r\nCVE-ID\r\nCVE-2015-1131 : Ian Beer of Google Project Zero\r\nCVE-2015-1132 : Ian Beer of Google Project Zero\r\nCVE-2015-1133 : Ian Beer of Google Project Zero\r\nCVE-2015-1134 : Ian Beer of Google Project Zero\r\nCVE-2015-1135 : Ian Beer of Google Project Zero\r\n\r\nCertificate Trust Policy\r\nImpact: Update to the certificate trust policy\r\nDescription: The certificate trust policy was updated. The complete\r\nlist of certificates may be viewed at https://support.apple.com/en-\r\nus/HT202858.\r\n\r\nCFNetwork HTTPProtocol\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: Cookies belonging to one origin may be sent to another\r\norigin\r\nDescription: A cross-domain cookie issue existed in redirect\r\nhandling. Cookies set in a redirect response could be passed on to a\r\nredirect target belonging to another origin. The issue was address\r\nthrough improved handling of redirects.\r\nCVE-ID\r\nCVE-2015-1089 : Niklas Keller\r\n\r\nCFNetwork Session\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: Authentication credentials may be sent to a server on\r\nanother origin\r\nDescription: A cross-domain HTTP request headers issue existed in\r\nredirect handling. HTTP request headers sent in a redirect response\r\ncould be passed on to another origin. The issue was addressed through\r\nimproved handling of redirects.\r\nCVE-ID\r\nCVE-2015-1091 : Diego Torres (http://dtorres.me)\r\n\r\nCFURL\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: Visiting a maliciously crafted website may lead to arbitrary\r\ncode execution\r\nDescription: An input validation issue existed within URL\r\nprocessing. This issue was addressed through improved URL validation.\r\nCVE-ID\r\nCVE-2015-1088 : Luigi Galli\r\n\r\nCoreAnimation\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: Visiting a maliciously crafted website may lead to arbitrary\r\ncode execution\r\nDescription: A use-after-free issue existed in CoreAnimation. This\r\nissue was addressed through improved mutex management.\r\nCVE-ID\r\nCVE-2015-1136 : Apple\r\n\r\nFontParser\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: Processing a maliciously crafted font file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nprocessing of font files. These issues were addressed through\r\nimproved bounds checking.\r\nCVE-ID\r\nCVE-2015-1093 : Marc Schoenefeld\r\n\r\nGraphics Driver\r\nAvailable for: OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A NULL pointer dereference existed in NVIDIA graphics\r\ndriver's handling of certain IOService userclient types. This issue\r\nwas addressed through additional context validation.\r\nCVE-ID\r\nCVE-2015-1137 :\r\nFrank Graziano and John Villamil of the Yahoo Pentest Team\r\n\r\nHypervisor\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A local application may be able to cause a denial of service\r\nDescription: An input validation issue existed in the hypervisor\r\nframework. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-1138 : Izik Eidus and Alex Fishman\r\n\r\nImageIO\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: Processing a maliciously crafted .sgi file may lead to\r\narbitrary code execution\r\nDescription: A memory corruption issue existed in the handling of\r\n.sgi files. This issue was addressed through improved bounds\r\nchecking.\r\nCVE-ID\r\nCVE-2015-1139 : Apple\r\n\r\nIOHIDFamily\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A malicious HID device may be able to cause arbitrary code\r\nexecution\r\nDescription: A memory corruption issue existed in an IOHIDFamily\r\nAPI. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-1095 : Andrew Church\r\n\r\nIOHIDFamily\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A buffer overflow issue existed in IOHIDFamily. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-1140 : lokihardt@ASRT working with HP's Zero Day Initiative,\r\nLuca Todesco\r\n\r\nIOHIDFamily\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to determine kernel memory layout\r\nDescription: An issue existed in IOHIDFamily that led to the\r\ndisclosure of kernel memory content. This issue was addressed through\r\nimproved bounds checking.\r\nCVE-ID\r\nCVE-2015-1096 : Ilja van Sprundel of IOActive\r\n\r\nIOHIDFamily\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A heap buffer overflow existed in IOHIDFamily's\r\nhandling of key-mapping properties. This issue was addressed through\r\nimproved bounds checking.\r\nCVE-ID\r\nCVE-2014-4404 : Ian Beer of Google Project Zero\r\n\r\nIOHIDFamily\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A null pointer dereference existed in IOHIDFamily's\r\nhandling of key-mapping properties. This issue was addressed through\r\nimproved validation of IOHIDFamily key-mapping properties.\r\nCVE-ID\r\nCVE-2014-4405 : Ian Beer of Google Project Zero\r\n\r\nIOHIDFamily\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5\r\nImpact: A user may be able to execute arbitrary code with system\r\nprivileges\r\nDescription: An out-of-bounds write issue exited in the IOHIDFamily\r\ndriver. The issue was addressed through improved input validation.\r\nCVE-ID\r\nCVE-2014-4380 : cunzhang from Adlab of Venustech\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to cause unexpected system shutdown\r\nDescription: An issue existed in the handling of virtual memory\r\noperations within the kernel. The issue is fixed through improved\r\nhandling of the mach_vm_read operation.\r\nCVE-ID\r\nCVE-2015-1141 : Ole Andre Vadla Ravnas of www.frida.re\r\n\r\nKernel\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to cause a system denial of service\r\nDescription: A race condition existed in the kernel's setreuid\r\nsystem call. This issue was addressed through improved state\r\nmanagement.\r\nCVE-ID\r\nCVE-2015-1099 : Mark Mentovai of Google Inc.\r\n\r\nKernel\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local application may escalate privileges using a\r\ncompromised service intended to run with reduced privileges\r\nDescription: setreuid and setregid system calls failed to drop\r\nprivileges permanently. This issue was addressed by correctly\r\ndropping privileges.\r\nCVE-ID\r\nCVE-2015-1117 : Mark Mentovai of Google Inc.\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: An attacker with a privileged network position may be able\r\nto redirect user traffic to arbitrary hosts\r\nDescription: ICMP redirects were enabled by default on OS X. This\r\nissue was addressed by disabling ICMP redirects.\r\nCVE-ID\r\nCVE-2015-1103 : Zimperium Mobile Security Labs\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: An attacker with a privileged network position may be able\r\nto cause a denial of service\r\nDescription: A state inconsistency existed in the processing of TCP\r\nheaders. This issue was addressed through improved state handling.\r\nCVE-ID\r\nCVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab\r\n\r\nKernel\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to cause unexpected system\r\ntermination or read kernel memory\r\nDescription: A out of bounds memory access issue existed in the\r\nkernel. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-1100 : Maxime Villard of m00nbsd\r\n\r\nKernel\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A remote attacker may be able to bypass network filters\r\nDescription: The system would treat some IPv6 packets from remote\r\nnetwork interfaces as local packets. The issue was addressed by\r\nrejecting these packets.\r\nCVE-ID\r\nCVE-2015-1104 : Stephen Roettger of the Google Security Team\r\n\r\nKernel\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to execute arbitrary code with\r\nkernel privileges\r\nDescription: A memory corruption issue existed in the kernel. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A remote attacker may be able to cause a denial of service\r\nDescription: A state inconsistency issue existed in the handling of\r\nTCP out of band data. This issue was addressed through improved state\r\nmanagement.\r\nCVE-ID\r\nCVE-2015-1105 : Kenton Varda of Sandstorm.io\r\n\r\nLaunchServices\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to cause the Finder to crash\r\nDescription: An input validation issue existed in LaunchServices's\r\nhandling of application localization data. This issue was addressed\r\nthrough improved validation of localization data.\r\nCVE-ID\r\nCVE-2015-1142\r\n\r\nLaunchServices\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A type confusion issue existed in LaunchServices's\r\nhandling of localized strings. This issue was addressed through\r\nadditional bounds checking.\r\nCVE-ID\r\nCVE-2015-1143 : Apple\r\n\r\nlibnetcore\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: Processing a maliciously crafted configuration profile may\r\nlead to unexpected application termination\r\nDescription: A memory corruption issue existed in the handling of\r\nconfiguration profiles. This issue was addressed through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of\r\nFireEye, Inc.\r\n\r\nntp\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A remote attacker may brute force ntpd authentication keys\r\nDescription: The config_auth function in ntpd generated a weak key\r\nwhen an authentication key was not configured. This issue was\r\naddressed by improved key generation.\r\nCVE-ID\r\nCVE-2014-9298\r\n\r\nOpenLDAP\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A remote unauthenticated client may be able to cause a\r\ndenial of service\r\nDescription: Multiple input validation issues existed in OpenLDAP.\r\nThese issues were addressed by improved input validation.\r\nCVE-ID\r\nCVE-2015-1545 : Ryan Tandy\r\nCVE-2015-1546 : Ryan Tandy\r\n\r\nOpenSSL\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: Multiple vulnerabilities in OpenSSL\r\nDescription: Multiple vulnerabilities existed in OpenSSL 0.9.8zc,\r\nincluding one that may allow an attacker to intercept connections to\r\na server that supports export-grade ciphers. These issues were\r\naddressed by updating OpenSSL to version 0.9.8zd.\r\nCVE-ID\r\nCVE-2014-3569\r\nCVE-2014-3570\r\nCVE-2014-3571\r\nCVE-2014-3572\r\nCVE-2014-8275\r\nCVE-2015-0204\r\n\r\nOpen Directory Client\r\nAvailable for: OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A password might be sent unencrypted over the network when\r\nusing Open Directory from OS X Server\r\nDescription: If an Open Directory client was bound to an OS X Server\r\nbut did not install the certificates of the OS X Server, and then a\r\nuser on that client changed their password, the password change\r\nrequest was sent over the network without encryption. This issue was\r\naddressed by having the client require encryption for this case.\r\nCVE-ID\r\nCVE-2015-1147 : Apple\r\n\r\nPHP\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: Multiple vulnerabilities in PHP\r\nDescription: Multiple vulnerabilities existed in PHP versions prior\r\nto 5.3.29, 5.4.38, and 5.5.20, including one which may have led to\r\narbitrary code execution. This update addresses the issues by\r\nupdating PHP to versions 5.3.29, 5.4.38, and 5.5.20.\r\nCVE-ID\r\nCVE-2013-6712\r\nCVE-2014-0207\r\nCVE-2014-0237\r\nCVE-2014-0238\r\nCVE-2014-2497\r\nCVE-2014-3478\r\nCVE-2014-3479\r\nCVE-2014-3480\r\nCVE-2014-3487\r\nCVE-2014-3538\r\nCVE-2014-3587\r\nCVE-2014-3597\r\nCVE-2014-3668\r\nCVE-2014-3669\r\nCVE-2014-3670\r\nCVE-2014-3710\r\nCVE-2014-3981\r\nCVE-2014-4049\r\nCVE-2014-4670\r\nCVE-2014-4698\r\nCVE-2014-5120\r\n\r\nQuickLook\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: Opening a maliciously crafted iWork file may lead to\r\narbitrary code execution\r\nDescription: A memory corruption issue existed in the handling of\r\niWork files. This issue was addressed through improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-1098 : Christopher Hickstein\r\n\r\nSceneKit\r\nAvailable for: OS X Mountain Lion v10.8.5\r\nImpact: Viewing a maliciously crafted Collada file may lead to\r\narbitrary code execution\r\nDescription: A heap buffer overflow existed in SceneKit's handling\r\nof Collada files. Viewing a maliciously crafted Collada file may have\r\nled to arbitrary code execution. This issue was addressed through\r\nimproved validation of accessor elements.\r\nCVE-ID\r\nCVE-2014-8830 : Jose Duart of Google Security Team\r\n\r\nScreen Sharing\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: A user's password may be logged to a local file\r\nDescription: In some circumstances, Screen Sharing may log a user's\r\npassword that is not readable by other users on the system. This\r\nissue was addressed by removing logging of credential.\r\nCVE-ID\r\nCVE-2015-1148 : Apple\r\n\r\nSecurity - Code Signing\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: Tampered applications may not be prevented from launching\r\nDescription: Applications containing specially crafted bundles may\r\nhave been able to launch without a completely valid signature. This\r\nissue was addressed by adding additional checks.\r\nCVE-ID\r\nCVE-2015-1145\r\nCVE-2015-1146\r\n\r\nUniformTypeIdentifiers\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.2\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A buffer overflow existed in the way Uniform Type\r\nIdentifiers were handled. This issue was addressed with improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-1144 : Apple\r\n\r\nWebKit\r\nAvailable for: OS X Yosemite v10.10 to v10.10.2\r\nImpact: Visiting a maliciously crafted website may lead to arbitrary\r\ncode execution\r\nDescription: A memory corruption issue existed in WebKit. This\r\nissues was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative\r\n\r\nSecurity Update 2015-004 (available for OS X Mountain Lion v10.8.5\r\nand OS X Mavericks v10.9.5) also addresses an issue caused by the fix\r\nfor CVE-2015-1067 in Security Update 2015-002. This issue prevented\r\nRemote Apple Events clients on any version from connecting to the\r\nRemote Apple Events server. In default configurations, Remote Apple\r\nEvents is not enabled.\r\n\r\nOS X Yosemite 10.10.3 includes the security content of Safari 8.0.5.\r\nhttps://support.apple.com/en-us/HT204658\r\n\r\nOS X Yosemite 10.10.3 and Security Update 2015-004 may be obtained\r\nfrom the Mac App Store or Apple's Software Downloads web site:\r\nhttp://www.apple.com/support/downloads/\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: http://support.apple.com/kb/HT1222\r\n\r\nThis message is signed with Apple's Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG/MacGPG2 v2.0.22 (Darwin)\r\nComment: GPGTools - http://gpgtools.org\r\n\r\niQIcBAEBAgAGBQJVJKj2AAoJEBcWfLTuOo7tDh4QAK0LxfwMRKcdOXOKpXsRz6lg\r\nlhZ+CLVcSepq8qBkFQ74f3B5CuhxD0IGQPaAuSXl51tWYdfN+92tkbmyZ9k8901l\r\n+I0vw6upeE+oqRnGtSRzq68UhcARbdV8V1+C0Xl3IIuuHc+xlEgvklDhF9Pc8XM6\r\nDudGiVNqt6MOqd5Oc4s4FFF0nnpnyG9+UJem3mi4Ee88PwI4x1Hev7utPPmaPDzj\r\ncjkVeislko3QArNJxtBpkYudErA4eR5OX8Tdf12jAmPTtjrXUb3VigEf78Nna0RW\r\nkHTOGdB5EZ+YFZ8KlyIQlENBjTtI8CGdCF4/S/2xDN83NTRsimd5Y7LSjdd0uANo\r\npqxAc3Gzn5xngWF1Qbb6V+XZBfz5NoeTq5BXBB5OHz4PSGaQuMsBA2RYFMzNLqWv\r\nD/T5U1JtzRLALt0lYAz63B0OhW7KXeLI9oer1Vo4wWF9O9cUFyuSI4JU5uYLQpJX\r\nkEpSFt4YPFFxMnlzCLzLkmVGax4w9M/tRHYeSKAnRlnsoPBtIGFItlNZE2RduD/R\r\n5n2APoJa3banQ8miycGORYP3WsktDRZzBy+2QPWuz8sE3AvAkO9xWp8PrQBkqf/b\r\n6CIG5UkCYITG2uzBXqnGbfDiEDvBLNN1Yq0ZZI23iYRxrdW0I0pv1CHio354q12G\r\nvVE37tYUU4PnLfwlcazq\r\n=MOsT\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-04-09T00:00:00", "title": "APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:58", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-1144", "CVE-2015-1117", "CVE-2015-1102", "CVE-2014-4405", "CVE-2015-1096", "CVE-2014-3478", "CVE-2014-0231", "CVE-2014-3572", "CVE-2014-0237", "CVE-2014-3571", "CVE-2013-5704", "CVE-2014-3587", "CVE-2015-1132", "CVE-2014-3479", "CVE-2014-4670", "CVE-2015-1091", "CVE-2015-1067", "CVE-2015-1148", "CVE-2015-1143", "CVE-2014-9298", "CVE-2014-3668", "CVE-2014-8830", "CVE-2015-1145", "CVE-2014-0098", "CVE-2014-3480", "CVE-2015-1138", "CVE-2014-3981", "CVE-2015-1140", "CVE-2013-0118", "CVE-2014-0207", "CVE-2014-8275", "CVE-2014-3570", "CVE-2013-6438", "CVE-2015-1147", "CVE-2014-3669", "CVE-2015-1093", "CVE-2015-1545", "CVE-2014-3487", "CVE-2014-3538", "CVE-2014-5120", "CVE-2014-3597", "CVE-2015-1130", "CVE-2015-1136", "CVE-2015-1142", "CVE-2014-3710", "CVE-2015-1139", "CVE-2014-4698", "CVE-2014-3523", "CVE-2014-4049", "CVE-2014-3670", "CVE-2015-1546", "CVE-2015-0204", "CVE-2015-1105", "CVE-2015-1099", "CVE-2015-1146", "CVE-2015-1135", "CVE-2014-2497", "CVE-2015-1118", "CVE-2014-0118", "CVE-2015-1131", "CVE-2015-1137", "CVE-2015-1101", "CVE-2015-1103", "CVE-2015-1104", "CVE-2014-4404", "CVE-2015-1089", "CVE-2015-1133", "CVE-2015-1141", "CVE-2014-0117", "CVE-2015-1088", "CVE-2013-6712", "CVE-2015-1069", "CVE-2014-4380", "CVE-2015-1095", "CVE-2015-1098", "CVE-2014-3569", "CVE-2015-1100", "CVE-2014-0238", "CVE-2014-0226", "CVE-2015-1134"], "modified": "2015-04-09T00:00:00", "id": "SECURITYVULNS:DOC:31890", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31890", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:01", "references": [], "description": "\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hpe.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04774019\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04774019\r\nVersion: 1\r\n\r\nHPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2015-08-24\r\nLast Updated: 2015-08-24\r\n\r\nPotential Security Impact: Remote unauthorized modification, unauthorized\r\naccess, or unauthorized disclosure of information.\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP Matrix\r\nOperating Environment. The vulnerabilities could be exploited remotely\r\nresulting in unauthorized modification, unauthorized access, or unauthorized\r\ndisclosure of information.\r\n\r\nReferences:\r\n\r\nCVE-2010-5107\r\nCVE-2013-0248\r\nCVE-2014-0118\r\nCVE-2014-0226\r\nCVE-2014-0231\r\nCVE-2014-1692\r\nCVE-2014-3523\r\nCVE-2014-3569\r\nCVE-2014-3570\r\nCVE-2014-3571\r\nCVE-2014-3572\r\nCVE-2014-8142\r\nCVE-2014-8275\r\nCVE-2014-9427\r\nCVE-2014-9652\r\nCVE-2014-9653\r\nCVE-2014-9705\r\nCVE-2015-0204\r\nCVE-2015-0205\r\nCVE-2015-0206\r\nCVE-2015-0207\r\nCVE-2015-0208\r\nCVE-2015-0209\r\nCVE-2015-0231\r\nCVE-2015-0232\r\nCVE-2015-0273\r\nCVE-2015-0285\r\nCVE-2015-0286\r\nCVE-2015-0287\r\nCVE-2015-0288\r\nCVE-2015-0289\r\nCVE-2015-0290\r\nCVE-2015-0291\r\nCVE-2015-0292\r\nCVE-2015-0293\r\nCVE-2015-1787\r\nCVE-2015-1788\r\nCVE-2015-1789\r\nCVE-2015-1790\r\nCVE-2015-1791\r\nCVE-2015-1792\r\nCVE-2015-2134\r\nCVE-2015-2139\r\nCVE-2015-2140\r\nCVE-2015-2301\r\nCVE-2015-2331\r\nCVE-2015-2348\r\nCVE-2015-2787\r\nCVE-2015-3113\r\nCVE-2015-5122\r\nCVE-2015-5123\r\nCVE-2015-5402\r\nCVE-2015-5403\r\nCVE-2015-5404\r\nCVE-2015-5405\r\nCVE-2015-5427\r\nCVE-2015-5428\r\nCVE-2015-5429\r\nCVE-2015-5430\r\nCVE-2015-5431\r\nCVE-2015-5432\r\nCVE-2015-5433\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Matrix Operating Environment impacted software components and versions:\r\n\r\nHP Systems Insight Manager (SIM) prior to version 7.5.0\r\nHP System Management Homepage (SMH) prior to version 7.5.0\r\nHP Version Control Agent (VCA) prior to version 7.5.0\r\nHP Version Control Repository Manager (VCRM) prior to version 7.5.0\r\nHP Insight Orchestration prior to version 7.5.0\r\nHP Virtual Connect Enterprise Manager (VCEM) prior to version 7.5.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2010-5107 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2013-0248 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3\r\nCVE-2014-0118 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3\r\nCVE-2014-0226 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8\r\nCVE-2014-0231 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-1692 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2014-3523 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\nCVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2014-8142 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2014-9427 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2014-9652 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2014-9653 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2014-9705 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2015-0204 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3\r\nCVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0207 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0208 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3\r\nCVE-2015-0209 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8\r\nCVE-2015-0231 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2015-0232 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8\r\nCVE-2015-0273 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2015-0285 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3\r\nCVE-2015-0286 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0287 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0288 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0289 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0290 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0291 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-0292 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2015-0293 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-1787 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6\r\nCVE-2015-1788 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3\r\nCVE-2015-1789 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3\r\nCVE-2015-1790 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-1791 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8\r\nCVE-2015-1792 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-2134 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0\r\nCVE-2015-2139 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5\r\nCVE-2015-2140 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9\r\nCVE-2015-2301 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2015-2331 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2015-2348 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\r\nCVE-2015-2787 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2015-3113 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2015-5122 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2015-5123 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2015-5402 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9\r\nCVE-2015-5403 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5\r\nCVE-2015-5404 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\nCVE-2015-5405 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0\r\nCVE-2015-5427 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\nCVE-2015-5428 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\nCVE-2015-5429 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\nCVE-2015-5430 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\nCVE-2015-5431 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9\r\nCVE-2015-5432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\nCVE-2015-5433 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software updates available to resolve the\r\nvulnerabilities in the impacted versions of HP Matrix Operating Environment\r\n\r\nHP Matrix Operating Environment 7.5.0 is only available on DVD. Please order\r\nthe latest version of the HP Matrix Operating Environment 7.5.0 DVD #2 ISO\r\nfrom the following location:\r\n\r\nhttp://www.hp.com/go/insightupdates\r\n\r\nChoose the orange Select button. This presents the HP Insight Management\r\nMedia order page. Choose Insight Management 7.5 DVD-2-ZIP August 2015 from\r\nthe Software specification list. Fill out the rest of the form and submit it.\r\n\r\nHP has addressed these vulnerabilities for the affected software components\r\nbundled with the HP Matrix Operating Environment in the following HP Security\r\nBulletins.\r\n\r\nHP Matrix Operating Environment component\r\n HP Security Bulletin Number\r\n Security Bulletin Location\r\n\r\nHP Systems Insight Manager (SIM)\r\n HPSBMU03394\r\n HPSBMU03394\r\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04762744\r\n\r\nHP System Management Homepage (SMH)\r\n HPSBMU03380\r\n http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04746490&la\r\nng=en-us&cc=\r\n\r\nHP Version Control Agent (VCA)\r\n HPSBMU03397\r\n https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04765169\r\n\r\nHP Version Control Repository Manager (VCRM)\r\n HPSBMU03396\r\n https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr\r\n_na-c04765115\r\n\r\nHP Virtual Connect Enterprise Manager (VCEM) SDK\r\n HPSBMU03413\r\n https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr\r\n_na-c04774021\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 24 August 2015 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2015 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-09-14T00:00:00", "title": "[security bulletin] HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:01", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-2348", "CVE-2014-9705", "CVE-2015-3113", "CVE-2015-2787", "CVE-2015-0232", "CVE-2015-1792", "CVE-2014-9427", "CVE-2015-5123", "CVE-2014-0231", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-1789", "CVE-2015-2134", "CVE-2015-0286", "CVE-2014-3571", "CVE-2015-2301", "CVE-2015-5433", "CVE-2015-5430", "CVE-2015-0288", "CVE-2015-5431", "CVE-2015-0285", "CVE-2015-0273", "CVE-2015-2331", "CVE-2015-5404", "CVE-2014-8142", "CVE-2015-0207", "CVE-2015-5402", "CVE-2015-2139", "CVE-2014-8275", "CVE-2015-0208", "CVE-2015-5428", "CVE-2014-3570", "CVE-2015-5427", "CVE-2015-5122", "CVE-2015-2140", "CVE-2010-5107", "CVE-2015-0293", "CVE-2014-1692", "CVE-2015-1788", "CVE-2014-3523", "CVE-2015-5429", "CVE-2015-0209", "CVE-2014-9653", "CVE-2015-5405", "CVE-2015-5432", "CVE-2014-9652", "CVE-2015-0204", "CVE-2013-0248", "CVE-2015-1790", "CVE-2014-0118", "CVE-2015-0291", "CVE-2015-0287", "CVE-2015-5403", "CVE-2015-0289", "CVE-2015-0292", "CVE-2015-0290", "CVE-2015-0205", "CVE-2015-0231", "CVE-2015-1787", "CVE-2014-3569", "CVE-2015-1791", "CVE-2014-0226"], "modified": "2015-09-14T00:00:00", "id": "SECURITYVULNS:DOC:32494", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32494", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:59", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31890", "https://vulners.com/securityvulns/securityvulns:doc:31897"], "description": "80 different vulnerabilities.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-04-13T00:00:00", "title": "Apple Mac OS X multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:59", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "MacOS X", "version": "10.10", "operator": "eq"}], "cvelist": ["CVE-2015-1144", "CVE-2015-1117", "CVE-2015-1102", "CVE-2014-4405", "CVE-2015-1096", "CVE-2014-3478", "CVE-2014-0231", "CVE-2014-3572", "CVE-2014-0237", "CVE-2014-3571", "CVE-2013-5704", "CVE-2014-3587", "CVE-2015-1132", "CVE-2014-3479", "CVE-2014-4670", "CVE-2015-1091", "CVE-2015-1148", "CVE-2015-1143", "CVE-2014-9298", "CVE-2014-3668", "CVE-2015-1149", "CVE-2014-8830", "CVE-2015-1145", "CVE-2014-0098", "CVE-2014-3480", "CVE-2015-1138", "CVE-2014-3981", "CVE-2015-1140", "CVE-2013-0118", "CVE-2014-0207", "CVE-2014-8275", "CVE-2014-3570", "CVE-2013-6438", "CVE-2015-1147", "CVE-2014-3669", "CVE-2015-1093", "CVE-2015-1545", "CVE-2014-3487", "CVE-2014-3538", "CVE-2014-5120", "CVE-2014-3597", "CVE-2015-1130", "CVE-2015-1136", "CVE-2015-1142", "CVE-2014-3710", "CVE-2015-1139", "CVE-2014-4698", "CVE-2014-3523", "CVE-2014-4049", "CVE-2014-3670", "CVE-2015-1546", "CVE-2015-0204", "CVE-2015-1105", "CVE-2015-1099", "CVE-2015-1146", "CVE-2015-1135", "CVE-2014-2497", "CVE-2015-1118", "CVE-2014-0118", "CVE-2015-1131", "CVE-2015-1137", "CVE-2015-1101", "CVE-2015-1103", "CVE-2015-1104", "CVE-2014-4404", "CVE-2015-1089", "CVE-2015-1133", "CVE-2015-1141", "CVE-2014-0117", "CVE-2015-1088", "CVE-2013-6712", "CVE-2015-1069", "CVE-2014-4380", "CVE-2015-1095", "CVE-2015-1098", "CVE-2014-3569", "CVE-2015-1100", "CVE-2014-0238", "CVE-2014-0226", "CVE-2015-1134"], "modified": "2015-04-13T00:00:00", "id": "SECURITYVULNS:VULN:14366", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14366", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:38:06", "references": ["https://bugzilla.suse.com/show_bug.cgi?id=912292", "https://bugzilla.suse.com/show_bug.cgi?id=912293", "https://bugzilla.suse.com/show_bug.cgi?id=912014", "https://bugzilla.suse.com/show_bug.cgi?id=912294", "https://bugzilla.suse.com/show_bug.cgi?id=911399", "https://bugzilla.suse.com/show_bug.cgi?id=912018", "https://bugzilla.suse.com/show_bug.cgi?id=912296", "https://bugzilla.suse.com/show_bug.cgi?id=912015"], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0", "packageFilename": "libopenssl1_0_0-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1k-2.16.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0-debuginfo-32bit", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl1_0_0-32bit", "packageFilename": "libopenssl1_0_0-32bit-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0-debuginfo", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0-hmac", "packageFilename": "libopenssl1_0_0-hmac-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "openssl", "packageFilename": "openssl-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl-devel", "packageFilename": "libopenssl-devel-1.0.1k-11.64.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl1_0_0", "packageFilename": "libopenssl1_0_0-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl-devel-32bit", "packageFilename": "libopenssl-devel-32bit-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "openssl-debugsource", "packageFilename": "openssl-debugsource-1.0.1k-2.16.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "openssl-doc", "packageFilename": "openssl-doc-1.0.1k-11.64.2.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0-hmac-32bit", "packageFilename": "libopenssl1_0_0-hmac-32bit-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1k-11.64.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "openssl-debugsource", "packageFilename": "openssl-debugsource-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl1_0_0-debuginfo-32bit", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl1_0_0", "packageFilename": "libopenssl1_0_0-1.0.1k-11.64.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl-devel", "packageFilename": "libopenssl-devel-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl1_0_0-debuginfo", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl1_0_0-debuginfo", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1k-11.64.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl-devel", "packageFilename": "libopenssl-devel-1.0.1k-2.16.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "openssl-debugsource", "packageFilename": "openssl-debugsource-1.0.1k-11.64.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0", "packageFilename": "libopenssl1_0_0-1.0.1k-2.16.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "openssl-doc", "packageFilename": "openssl-doc-1.0.1k-2.16.2.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0-hmac", "packageFilename": "libopenssl1_0_0-hmac-1.0.1k-2.16.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0-32bit", "packageFilename": "libopenssl1_0_0-32bit-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "openssl-debugsource", "packageFilename": "openssl-debugsource-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "openssl", "packageFilename": "openssl-1.0.1k-2.16.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "openssl", "packageFilename": "openssl-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "openssl", "packageFilename": "openssl-1.0.1k-11.64.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "libopenssl-devel", "packageFilename": "libopenssl-devel-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl1_0_0-debuginfo", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1k-2.16.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.0.1k-2.16.2", "packageName": "libopenssl-devel-32bit", "packageFilename": "libopenssl-devel-32bit-1.0.1k-2.16.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.0.1k-11.64.2", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1k-11.64.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}], "description": "openssl was updated to 1.0.1k to fix various security issues and bugs.\n\n More information can be found in the openssl advisory:\n <a rel=\"nofollow\" href=\"http://openssl.org/news/secadv_20150108.txt\">http://openssl.org/news/secadv_20150108.txt</a>\n\n Following issues were fixed:\n\n * CVE-2014-3570 (bsc#912296): Bignum squaring (BN_sqr) may have produced\n incorrect results on some platforms, including x86_64.\n\n * CVE-2014-3571 (bsc#912294): Fixed crash in dtls1_get_record whilst in\n the listen state where you get two separate reads performed - one for\n the header and one for the body of the handshake record.\n\n * CVE-2014-3572 (bsc#912015): Don't accept a handshake using an ephemeral\n ECDH ciphersuites with the server key exchange message omitted.\n\n * CVE-2014-8275 (bsc#912018): Fixed various certificate fingerprint issues.\n\n * CVE-2015-0204 (bsc#912014): Only allow ephemeral RSA keys in export\n ciphersuites\n\n * CVE-2015-0205 (bsc#912293): A fixwas added to prevent use of DH client\n certificates without sending certificate verify message.\n\n * CVE-2015-0206 (bsc#912292): A memory leak was fixed in\n dtls1_buffer_record.\n\n", "edition": 1, "reporter": "Suse", "published": "2015-01-23T20:05:13", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for openssl (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-01-23T20:05:13", "id": "OPENSUSE-SU-2015:0130-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T11:23:40", "references": ["https://bugzilla.suse.com/912018", "https://bugzilla.suse.com/802184", "https://bugzilla.suse.com/922488", "https://bugzilla.suse.com/922496", "https://bugzilla.suse.com/922500", "https://bugzilla.suse.com/912293", "https://bugzilla.suse.com/912015", "https://bugzilla.suse.com/912296", "https://bugzilla.suse.com/920236", "https://bugzilla.suse.com/912014", "https://bugzilla.suse.com/880891", "https://bugzilla.suse.com/901223", "https://bugzilla.suse.com/922501", "https://bugzilla.suse.com/905106", "https://bugzilla.suse.com/890764", "https://bugzilla.suse.com/922499", "http://download.suse.com/patch/finder/?keywords=2c7184ba59decc9a1f6c8b3e30123d3a", "https://bugzilla.suse.com/901277"], "affectedPackage": [{"OS": "SUSE Linux Enterprise for SAP Applications", "OSVersion": "11.2", "packageVersion": "0.9.7g-146.22.29.1", "packageFilename": "compat-openssl097g-0.9.7g-146.22.29.1.x86_64.rpm", "packageName": "compat-openssl097g", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise for SAP Applications", "OSVersion": "11.2", "packageVersion": "0.9.7g-146.22.29.1", "packageFilename": "compat-openssl097g-32bit-0.9.7g-146.22.29.1.x86_64.rpm", "packageName": "compat-openssl097g-32bit", "arch": "x86_64", "operator": "lt"}], "description": "OpenSSL has been updated to fix various security issues:\n\n *\n\n CVE-2014-3568: The build option no-ssl3 was incomplete.\n\n *\n\n CVE-2014-3566: Support for TLS_FALLBACK_SCSV was added.\n\n *\n\n CVE-2014-3508: An information leak in pretty printing functions was\n fixed.\n\n *\n\n CVE-2013-0166: A OCSP bad key DoS attack was fixed.\n\n *\n\n CVE-2013-0169: An SSL/TLS CBC plaintext recovery attack was fixed.\n\n *\n\n CVE-2014-3470: Anonymous ECDH denial of service was fixed.\n\n *\n\n CVE-2014-0224: A SSL/TLS MITM vulnerability was fixed.\n\n *\n\n CVE-2014-3570: Bignum squaring (BN_sqr) may have produced incorrect\n results on some platforms, including x86_64.\n\n *\n\n CVE-2014-3572: Don't accept a handshake using an ephemeral ECDH\n ciphersuites with the server key exchange message omitted.\n\n *\n\n CVE-2014-8275: Fixed various certificate fingerprint issues.\n\n *\n\n CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites\n\n *\n\n CVE-2015-0205: A fix was added to prevent use of DH client\n certificates without sending certificate verify message.\n\n *\n\n CVE-2015-0286: A segmentation fault in ASN1_TYPE_cmp was fixed that\n could be exploited by attackers when e.g. client authentication is used.\n This could be exploited over SSL connections.\n\n *\n\n CVE-2015-0287: A ASN.1 structure reuse memory corruption was fixed.\n This problem can not be exploited over regular SSL connections, only if\n specific client programs use specific ASN.1 routines.\n\n *\n\n CVE-2015-0288: A X509_to_X509_REQ NULL pointer dereference was\n fixed, which could lead to crashes. This function is not commonly used,\n and not reachable over SSL methods.\n\n *\n\n CVE-2015-0289: Several PKCS7 NULL pointer dereferences were fixed,\n which could lead to crashes of programs using the PKCS7 APIs. The SSL apis\n do not use those by default.\n\n *\n\n CVE-2015-0292: Various issues in base64 decoding were fixed, which\n could lead to crashes with memory corruption, for instance by using\n attacker supplied PEM data.\n\n *\n\n CVE-2015-0293: Denial of service via reachable assert in SSLv2\n servers, could be used by remote attackers to terminate the server\n process. Note that this requires SSLv2 being allowed, which is not the\n default.\n\n", "edition": 1, "reporter": "Suse", "published": "2015-03-24T00:05:09", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for compat-openssl097g (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0166", "CVE-2014-3508", "CVE-2014-3566", "CVE-2014-3572", "CVE-2013-0169", "CVE-2015-0286", "CVE-2015-0288", "CVE-2014-0224", "CVE-2014-8275", "CVE-2014-3570", "CVE-2014-3470", "CVE-2015-0293", "CVE-2015-0204", "CVE-2015-0287", "CVE-2015-0289", "CVE-2014-3568", "CVE-2015-0292", "CVE-2015-0205"], "modified": "2015-03-24T00:05:09", "id": "SUSE-SU-2015:0578-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:46:48", "references": ["https://bugzilla.suse.com/912018", "https://bugzilla.suse.com/934494", "https://bugzilla.suse.com/922496", "https://bugzilla.suse.com/912292", "https://bugzilla.suse.com/922500", "https://bugzilla.suse.com/934487", "https://bugzilla.suse.com/931600", "https://bugzilla.suse.com/912293", "https://bugzilla.suse.com/912015", "https://bugzilla.suse.com/912296", "https://bugzilla.suse.com/920236", "https://bugzilla.suse.com/934489", "https://bugzilla.suse.com/934491", "https://bugzilla.suse.com/919648", "https://bugzilla.suse.com/934493", "https://bugzilla.suse.com/937891", "https://bugzilla.suse.com/922499"], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libressl-debuginfo-2.2.1-2.3.1.x86_64.rpm", "packageName": "libressl-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libssl33-2.2.1-2.3.1.i586.rpm", "packageName": "libssl33", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libcrypto34-2.2.1-2.3.1.i586.rpm", "packageName": "libcrypto34", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libtls4-2.2.1-2.3.1.x86_64.rpm", "packageName": "libtls4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libcrypto34-debuginfo-2.2.1-2.3.1.i586.rpm", "packageName": "libcrypto34-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libressl-devel-2.2.1-2.3.1.x86_64.rpm", "packageName": "libressl-devel", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libtls4-debuginfo-32bit-2.2.1-2.3.1.x86_64.rpm", "packageName": "libtls4-debuginfo-32bit", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libssl33-2.2.1-2.3.1.x86_64.rpm", "packageName": "libssl33", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libressl-2.2.1-2.3.1.x86_64.rpm", "packageName": "libressl", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libtls4-2.2.1-2.3.1.i586.rpm", "packageName": "libtls4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libressl-debugsource-2.2.1-2.3.1.x86_64.rpm", "packageName": "libressl-debugsource", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libssl33-debuginfo-2.2.1-2.3.1.i586.rpm", "packageName": "libssl33-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libssl33-debuginfo-32bit-2.2.1-2.3.1.x86_64.rpm", "packageName": "libssl33-debuginfo-32bit", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libressl-devel-2.2.1-2.3.1.i586.rpm", "packageName": "libressl-devel", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libssl33-debuginfo-2.2.1-2.3.1.x86_64.rpm", "packageName": "libssl33-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libcrypto34-32bit-2.2.1-2.3.1.x86_64.rpm", "packageName": "libcrypto34-32bit", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libcrypto34-debuginfo-2.2.1-2.3.1.x86_64.rpm", "packageName": "libcrypto34-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libssl33-32bit-2.2.1-2.3.1.x86_64.rpm", "packageName": "libssl33-32bit", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libressl-debuginfo-2.2.1-2.3.1.i586.rpm", "packageName": "libressl-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libcrypto34-debuginfo-32bit-2.2.1-2.3.1.x86_64.rpm", "packageName": "libcrypto34-debuginfo-32bit", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libcrypto34-2.2.1-2.3.1.x86_64.rpm", "packageName": "libcrypto34", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "noarch", "packageFilename": "libressl-devel-doc-2.2.1-2.3.1.noarch.rpm", "packageName": "libressl-devel-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libtls4-32bit-2.2.1-2.3.1.x86_64.rpm", "packageName": "libtls4-32bit", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libtls4-debuginfo-2.2.1-2.3.1.x86_64.rpm", "packageName": "libtls4-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libressl-debugsource-2.2.1-2.3.1.i586.rpm", "packageName": "libressl-debugsource", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libressl-2.2.1-2.3.1.i586.rpm", "packageName": "libressl", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "i586", "packageFilename": "libtls4-debuginfo-2.2.1-2.3.1.i586.rpm", "packageName": "libtls4-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "2.2.1-2.3.1", "arch": "x86_64", "packageFilename": "libressl-devel-32bit-2.2.1-2.3.1.x86_64.rpm", "packageName": "libressl-devel-32bit", "operator": "lt"}], "description": "libressl was updated to version 2.2.1 to fix 16 security issues.\n\n LibreSSL is a fork of OpenSSL. Because of that CVEs affecting OpenSSL\n often also affect LibreSSL.\n\n These security issues were fixed:\n - CVE-2014-3570: The BN_sqr implementation in OpenSSL before 0.9.8zd,\n 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k did not properly calculate\n the square of a BIGNUM value, which might make it easier for remote\n attackers to defeat cryptographic protection mechanisms via unspecified\n vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c,\n and crypto/bn/bn_asm.c (bsc#912296).\n - CVE-2014-3572: The ssl3_get_key_exchange function in s3_clnt.c in\n OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k\n allowed remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks\n and trigger a loss of forward secrecy by omitting the ServerKeyExchange\n message (bsc#912015).\n - CVE-2015-1792: The do_free_upto function in crypto/cms/cms_smime.c in\n OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and\n 1.0.2 before 1.0.2b allowed remote attackers to cause a denial of\n service (infinite loop) via vectors that trigger a NULL value of a BIO\n data structure, as demonstrated by an unrecognized X.660 OID for a hash\n function (bsc#934493).\n - CVE-2014-8275: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1\n before 1.0.1k did not enforce certain constraints on certificate data,\n which allowed remote attackers to defeat a fingerprint-based\n certificate-blacklist protection mechanism by including crafted data\n within a certificate's unsigned portion, related to\n crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c,\n and crypto/x509/x_all.c (bsc#912018).\n - CVE-2015-0209: Use-after-free vulnerability in the d2i_ECPrivateKey\n function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before\n 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allowed\n remote attackers to cause a denial of service (memory corruption and\n application crash) or possibly have unspecified other impact via a\n malformed Elliptic Curve (EC) private-key file that is improperly\n handled during import (bsc#919648).\n - CVE-2015-1789: The X509_cmp_time function in crypto/x509/x509_vfy.c in\n OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and\n 1.0.2 before 1.0.2b allowed remote attackers to cause a denial of\n service (out-of-bounds read and application crash) via a crafted length\n field in ASN1_TIME data, as demonstrated by an attack against a server\n that supports client authentication with a custom verification callback\n (bsc#934489).\n - CVE-2015-1788: The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in\n OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and\n 1.0.2 before 1.0.2b did not properly handle ECParameters structures in\n which the curve is over a malformed binary polynomial field, which\n allowed remote attackers to cause a denial of service (infinite loop)\n via a session that used an Elliptic Curve algorithm, as demonstrated by\n an attack against a server that supports client authentication\n (bsc#934487).\n - CVE-2015-1790: The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c\n in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and\n 1.0.2 before 1.0.2b allowed remote attackers to cause a denial of\n service (NULL pointer dereference and application crash) via a PKCS#7\n blob that used ASN.1 encoding and lacks inner EncryptedContent data\n (bsc#934491).\n - CVE-2015-0287: The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c\n in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and\n 1.0.2 before 1.0.2a did not reinitialize CHOICE and ADB data structures,\n which might allowed attackers to cause a denial of service (invalid\n write operation and memory corruption) by leveraging an application that\n relies on ASN.1 structure reuse (bsc#922499).\n - CVE-2015-0286: The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in\n OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and\n 1.0.2 before 1.0.2a did not properly perform boolean-type comparisons,\n which allowed remote attackers to cause a denial of service (invalid\n read operation and application crash) via a crafted X.509 certificate to\n an endpoint that used the certificate-verification feature (bsc#922496).\n - CVE-2015-0289: The PKCS#7 implementation in OpenSSL before 0.9.8zf,\n 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a did\n not properly handle a lack of outer ContentInfo, which allowed attackers\n to cause a denial of service (NULL pointer dereference and application\n crash) by leveraging an application that processes arbitrary PKCS#7 data\n and providing malformed data with ASN.1 encoding, related to\n crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (bsc#922500).\n - CVE-2015-0288: The X509_to_X509_REQ function in crypto/x509/x509_req.c\n in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and\n 1.0.2 before 1.0.2a might allowed attackers to cause a denial of service\n (NULL pointer dereference and application crash) via an invalid\n certificate key (bsc#920236).\n - CVE-2014-8176: The dtls1_clear_queues function in ssl/d1_lib.c in\n OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h\n frees data structures without considering that application data can\n arrive between a ChangeCipherSpec message and a Finished message, which\n allowed remote DTLS peers to cause a denial of service (memory\n corruption and application crash) or possibly have unspecified other\n impact via unexpected application data (bsc#934494).\n - CVE-2015-4000: The TLS protocol 1.2 and earlier, when a DHE_EXPORT\n ciphersuite is enabled on a server but not on a client, did not properly\n convey a DHE_EXPORT choice, which allowed man-in-the-middle attackers to\n conduct cipher-downgrade attacks by rewriting a ClientHello with DHE\n replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT\n replaced by DHE, aka the "Logjam" issue (bsc#931600).\n - CVE-2015-0205: The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL\n 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client\n authentication with a Diffie-Hellman (DH) certificate without requiring\n a CertificateVerify message, which allowed remote attackers to obtain\n access without knowledge of a private key via crafted TLS Handshake\n Protocol traffic to a server that recognizes a Certification Authority\n with DH support (bsc#912293).\n - CVE-2015-0206: Memory leak in the dtls1_buffer_record function in\n d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allowed\n remote attackers to cause a denial of service (memory consumption) by\n sending many duplicate records for the next epoch, leading to failure of\n replay detection (bsc#912292).\n\n", "edition": 1, "reporter": "Suse", "published": "2015-07-22T15:08:14", "title": "Security update for libressl (important)", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4000", "CVE-2015-1792", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-1789", "CVE-2015-0286", "CVE-2015-0288", "CVE-2014-8275", "CVE-2014-3570", "CVE-2014-8176", "CVE-2015-1788", "CVE-2015-0209", "CVE-2015-1790", "CVE-2015-0287", "CVE-2015-0289", "CVE-2015-0205"], "modified": "2015-07-22T15:08:14", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html", "id": "OPENSUSE-SU-2015:1277-1", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:32:46", "references": ["https://bugzilla.suse.com/968046", "https://bugzilla.suse.com/967787", "https://bugzilla.suse.com/963415", "https://bugzilla.suse.com/968048", "https://bugzilla.suse.com/968374", "https://bugzilla.suse.com/952871"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8zh-14.1", "packageName": "libopenssl0_9_8-32bit", "packageFilename": "libopenssl0_9_8-32bit-0.9.8zh-14.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8zh-14.1", "packageName": "libopenssl0_9_8-debuginfo", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8zh-14.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "0.9.8zh-9.3.1", "packageName": "libopenssl0_9_8-debuginfo", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8zh-9.3.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "0.9.8zh-9.3.1", "packageName": "libopenssl0_9_8", "packageFilename": "libopenssl0_9_8-0.9.8zh-9.3.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "0.9.8zh-9.3.1", "packageName": "libopenssl0_9_8-debuginfo", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8zh-9.3.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "0.9.8zh-9.3.1", "packageName": "libopenssl0_9_8", "packageFilename": "libopenssl0_9_8-0.9.8zh-9.3.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8zh-14.1", "packageName": "libopenssl0_9_8-debuginfo", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8zh-14.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "0.9.8zh-9.3.1", "packageName": "libopenssl0_9_8-32bit", "packageFilename": "libopenssl0_9_8-32bit-0.9.8zh-9.3.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8zh-14.1", "packageName": "libopenssl0_9_8-debuginfo-32bit", "packageFilename": "libopenssl0_9_8-debuginfo-32bit-0.9.8zh-14.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "0.9.8zh-9.3.1", "packageName": "libopenssl0_9_8-debuginfo-32bit", "packageFilename": "libopenssl0_9_8-debuginfo-32bit-0.9.8zh-9.3.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8zh-14.1", "packageName": "libopenssl0_9_8-debugsource", "packageFilename": "libopenssl0_9_8-debugsource-0.9.8zh-14.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8zh-14.1", "packageName": "libopenssl0_9_8-debugsource", "packageFilename": "libopenssl0_9_8-debugsource-0.9.8zh-14.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8zh-14.1", "packageName": "libopenssl0_9_8", "packageFilename": "libopenssl0_9_8-0.9.8zh-14.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "0.9.8zh-9.3.1", "packageName": "libopenssl0_9_8-debugsource", "packageFilename": "libopenssl0_9_8-debugsource-0.9.8zh-9.3.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "0.9.8zh-9.3.1", "packageName": "libopenssl0_9_8-debugsource", "packageFilename": "libopenssl0_9_8-debugsource-0.9.8zh-9.3.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8zh-14.1", "packageName": "libopenssl0_9_8", "packageFilename": "libopenssl0_9_8-0.9.8zh-14.1.i586.rpm", "arch": "i586", "operator": "lt"}], "description": "This update for libopenssl0_9_8 fixes the following issues:\n\n - CVE-2016-0800 aka the "DROWN" attack (bsc#968046): OpenSSL was\n vulnerable to a cross-protocol attack that could lead to decryption of\n TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites\n as a Bleichenbacher RSA padding oracle.\n\n This update changes the openssl library to:\n\n * Disable SSLv2 protocol support by default.\n\n This can be overridden by setting the environment variable\n "OPENSSL_ALLOW_SSL2" or by using SSL_CTX_clear_options using the\n SSL_OP_NO_SSLv2 flag.\n\n Note that various services and clients had already disabled SSL\n protocol 2 by default previously.\n\n * Disable all weak EXPORT ciphers by default. These can be reenabled if\n required by old legacy software using the environment variable\n "OPENSSL_ALLOW_EXPORT".\n\n - CVE-2016-0797 (bnc#968048): The BN_hex2bn() and BN_dec2bn() functions\n had a bug that could result in an attempt to de-reference a NULL pointer\n leading to crashes. This could have security consequences if these\n functions were ever called by user applications with large untrusted\n hex/decimal data. Also, internal usage of these functions in OpenSSL\n uses data from config files or application command line arguments. If\n user developed applications generated config file data based on\n untrusted data, then this could have had security consequences as well.\n\n - CVE-2016-0799 (bnc#968374) On many 64 bit systems, the internal fmtstr()\n and doapr_outch() functions could miscalculate the length of a string\n and attempt to access out-of-bounds memory locations. These problems\n could have enabled attacks where large amounts of untrusted data is\n passed to the BIO_*printf functions. If applications use these functions\n in this way then they could have been vulnerable. OpenSSL itself uses\n these functions when printing out human-readable dumps of ASN.1 data.\n Therefore applications that print this data could have been vulnerable\n if the data is from untrusted sources. OpenSSL command line applications\n could also have been vulnerable when they print out ASN.1 data, or if\n untrusted data is passed as command line arguments. Libssl is not\n considered directly vulnerable.\n\n\n - The package was updated to 0.9.8zh:\n * fixes many security vulnerabilities (not seperately listed):\n CVE-2015-3195, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790,\n CVE-2015-1792, CVE-2015-1791, CVE-2015-0286, CVE-2015-0287,\n CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288,\n CVE-2014-3571, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204,\n CVE-2014-8275, CVE-2014-3570, CVE-2014-3567, CVE-2014-3568,\n CVE-2014-3566, CVE-2014-3510, CVE-2014-3507, CVE-2014-3506,\n CVE-2014-3505, CVE-2014-3508, CVE-2014-0224, CVE-2014-0221,\n CVE-2014-0195, CVE-2014-3470, CVE-2014-0076, CVE-2013-0169,\n CVE-2013-0166\n\n - avoid running OPENSSL_config twice. This avoids breaking engine loading.\n (boo#952871, boo#967787)\n\n - fix CVE-2015-3197 (boo#963415)\n * SSLv2 doesn't block disabled ciphers\n\n", "edition": 1, "reporter": "Suse", "published": "2016-03-03T14:11:44", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "suse", "title": "Security update for libopenssl0_9_8 (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0166", "CVE-2014-3505", "CVE-2014-3508", "CVE-2015-1792", "CVE-2014-3566", "CVE-2015-3197", "CVE-2014-3572", "CVE-2015-1789", "CVE-2013-0169", "CVE-2015-0286", "CVE-2014-3507", "CVE-2015-3195", "CVE-2014-3571", "CVE-2014-0076", "CVE-2016-0799", "CVE-2015-0288", "CVE-2014-0224", "CVE-2014-8275", "CVE-2016-0797", "CVE-2014-3570", "CVE-2014-3470", "CVE-2014-3506", "CVE-2015-0293", "CVE-2015-1788", "CVE-2014-0195", "CVE-2015-0209", "CVE-2014-3567", "CVE-2015-0204", "CVE-2016-0800", "CVE-2015-1790", "CVE-2014-3510", "CVE-2015-0287", "CVE-2015-0289", "CVE-2014-3568", "CVE-2014-3569", "CVE-2015-1791", "CVE-2014-0221"], "modified": "2016-03-03T14:11:44", "id": "OPENSUSE-SU-2016:0640-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:13:42", "references": ["https://download.suse.com/patch/finder/?keywords=bf7ed7fc98aa76bac61b9bec767d2098", "https://bugzilla.suse.com/927623", "https://bugzilla.suse.com/922043"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient15", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client_r18", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-32bit-5.5.43-0.7.3.s390x.rpm", "packageName": "libmysql55client_r18-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client_r18", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.ia64.rpm", "packageName": "mysql", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-32bit-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client_r18-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-tools-5.5.43-0.7.3.ia64.rpm", "packageName": "mysql-tools", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-tools-5.5.43-0.7.3.i586.rpm", "packageName": "mysql-tools", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.i586.rpm", "packageName": "libmysql55client_r18", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.ia64.rpm", "packageName": "libmysql55client18", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-tools-5.5.43-0.7.3.ppc64.rpm", "packageName": "mysql-tools", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-tools-5.5.43-0.7.3.s390x.rpm", "packageName": "mysql-tools", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.x86_64.rpm", "packageName": "mysql", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.x86_64.rpm", "packageName": "mysql", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-32bit-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient15-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient15", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client18", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-x86-5.5.43-0.7.3.ia64.rpm", "packageName": "libmysql55client_r18-x86", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client18", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.s390x.rpm", "packageName": "mysql-client", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.i586.rpm", "packageName": "libmysql55client18", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.x86_64.rpm", "packageName": "mysql-client", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.ia64.rpm", "packageName": "libmysql55client_r18", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-32bit-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client_r18-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.x86_64.rpm", "packageName": "mysql", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-32bit-5.0.96-0.6.20.s390x.rpm", "packageName": "libmysqlclient15-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-32bit-5.0.96-0.6.20.s390x.rpm", "packageName": "libmysqlclient_r15-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.ia64.rpm", "packageName": "libmysqlclient_r15", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.ia64.rpm", "packageName": "libmysqlclient15", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-32bit-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client18-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.ppc64.rpm", "packageName": "libmysqlclient_r15", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-32bit-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient_r15-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.ia64.rpm", "packageName": "mysql-client", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client18", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.s390x.rpm", "packageName": "mysql", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.ppc64.rpm", "packageName": "mysql-client", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-tools-5.5.43-0.7.3.x86_64.rpm", "packageName": "mysql-tools", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-32bit-5.0.96-0.6.20.ppc64.rpm", "packageName": "libmysqlclient_r15-32bit", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.x86_64.rpm", "packageName": "mysql-client", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.s390x.rpm", "packageName": "libmysqlclient_r15", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-x86-5.5.43-0.7.3.ia64.rpm", "packageName": "libmysql55client18-x86", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-32bit-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient_r15-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.ppc64.rpm", "packageName": "libmysql55client_r18", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.i586.rpm", "packageName": "libmysqlclient_r15", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient_r15", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.i586.rpm", "packageName": "mysql-client", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-x86-5.0.96-0.6.20.ia64.rpm", "packageName": "libmysqlclient15-x86", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-x86-5.0.96-0.6.20.ia64.rpm", "packageName": "libmysqlclient_r15-x86", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.i586.rpm", "packageName": "libmysqlclient_r15", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.i586.rpm", "packageName": "libmysqlclient_r15", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-tools-5.5.43-0.7.3.x86_64.rpm", "packageName": "mysql-tools", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.s390x.rpm", "packageName": "libmysql55client_r18", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-32bit-5.5.43-0.7.3.ppc64.rpm", "packageName": "libmysql55client18-32bit", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.i586.rpm", "packageName": "libmysql55client18", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-32bit-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client18-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.i586.rpm", "packageName": "libmysql55client18", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.s390x.rpm", "packageName": "libmysql55client18", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.i586.rpm", "packageName": "mysql", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-32bit-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client18-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.i586.rpm", "packageName": "mysql-client", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.i586.rpm", "packageName": "mysql-client", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-32bit-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient15-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.i586.rpm", "packageName": "libmysql55client_r18", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-5.5.43-0.7.3.ppc64.rpm", "packageName": "libmysql55client18", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.i586.rpm", "packageName": "libmysqlclient15", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.ppc64.rpm", "packageName": "mysql", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient_r15", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.x86_64.rpm", "packageName": "libmysql55client_r18", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient15", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-tools-5.5.43-0.7.3.i586.rpm", "packageName": "mysql-tools", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-client-5.5.43-0.7.3.x86_64.rpm", "packageName": "mysql-client", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.s390x.rpm", "packageName": "libmysqlclient15", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.i586.rpm", "packageName": "libmysqlclient15", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.i586.rpm", "packageName": "mysql", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "mysql-5.5.43-0.7.3.i586.rpm", "packageName": "mysql", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client18-32bit-5.5.43-0.7.3.s390x.rpm", "packageName": "libmysql55client18-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-32bit-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient15-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.i586.rpm", "packageName": "libmysqlclient15", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-32bit-5.5.43-0.7.3.ppc64.rpm", "packageName": "libmysql55client_r18-32bit", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient_r15-5.0.96-0.6.20.x86_64.rpm", "packageName": "libmysqlclient_r15", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-32bit-5.0.96-0.6.20.ppc64.rpm", "packageName": "libmysqlclient15-32bit", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "5.0.96-0.6.20", "packageFilename": "libmysqlclient15-5.0.96-0.6.20.ppc64.rpm", "packageName": "libmysqlclient15", "arch": "ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "5.5.43-0.7.3", "packageFilename": "libmysql55client_r18-5.5.43-0.7.3.i586.rpm", "packageName": "libmysql55client_r18", "arch": "i586", "operator": "lt"}], "description": "MySQL was updated to version 5.5.43 to fix several security and non\n security issues:\n\n * CVEs fixed: CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,\n CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205,\n CVE-2015-0206, CVE-2015-0405, CVE-2015-0423, CVE-2015-0433,\n CVE-2015-0438, CVE-2015-0439, CVE-2015-0441, CVE-2015-0498,\n CVE-2015-0499, CVE-2015-0500, CVE-2015-0501, CVE-2015-0503,\n CVE-2015-0505, CVE-2015-0506, CVE-2015-0507, CVE-2015-0508,\n CVE-2015-0511, CVE-2015-2566, CVE-2015-2567, CVE-2015-2568,\n CVE-2015-2571, CVE-2015-2573, CVE-2015-2576.\n * Fix integer overflow in regcomp (Henry Spencer's regex library) for\n excessively long pattern strings. (bnc#922043, CVE-2015-2305)\n\n For a comprehensive list of changes, refer to\n <a rel=\"nofollow\" href=\"http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html\">http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html</a>\n <<a rel=\"nofollow\" href=\"http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html\">http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html</a>> .\n\n Security Issues:\n\n * CVE-2014-3569\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569</a>>\n * CVE-2014-3570\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570</a>>\n * CVE-2014-3571\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571</a>>\n * CVE-2014-3572\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572</a>>\n * CVE-2014-8275\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275</a>>\n * CVE-2015-0204\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204</a>>\n * CVE-2015-0205\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205</a>>\n * CVE-2015-0206\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206</a>>\n * CVE-2015-0405\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0405\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0405</a>>\n * CVE-2015-0423\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0423\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0423</a>>\n * CVE-2015-0433\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0433\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0433</a>>\n * CVE-2015-0438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0438</a>>\n * CVE-2015-0439\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0439\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0439</a>>\n * CVE-2015-0441\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0441\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0441</a>>\n * CVE-2015-0498\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0498\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0498</a>>\n * CVE-2015-0499\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0499\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0499</a>>\n * CVE-2015-0500\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0500\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0500</a>>\n * CVE-2015-0501\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0501\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0501</a>>\n * CVE-2015-0503\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0503\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0503</a>>\n * CVE-2015-0505\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0505\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0505</a>>\n * CVE-2015-0506\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0506\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0506</a>>\n * CVE-2015-0507\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0507\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0507</a>>\n * CVE-2015-0508\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0508\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0508</a>>\n * CVE-2015-0511\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0511\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0511</a>>\n * CVE-2015-2566\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2566\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2566</a>>\n * CVE-2015-2567\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2567\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2567</a>>\n * CVE-2015-2568\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2568\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2568</a>>\n * CVE-2015-2571\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2571\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2571</a>>\n * CVE-2015-2573\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2573\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2573</a>>\n * CVE-2015-2576\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2576\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2576</a>>\n * CVE-2015-2305\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305</a>>\n\n", "edition": 1, "reporter": "Suse", "published": "2015-05-26T15:04:53", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "title": "Security update for MySQL (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2015-2576", "CVE-2015-2567", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-2568", "CVE-2015-0506", "CVE-2014-3571", "CVE-2015-0511", "CVE-2015-2305", "CVE-2015-0501", "CVE-2015-0439", "CVE-2015-0507", "CVE-2015-2571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0503", "CVE-2015-0500", "CVE-2015-0405", "CVE-2015-0204", "CVE-2015-2566", "CVE-2015-0423", "CVE-2015-0498", "CVE-2015-0438", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0508", "CVE-2015-0505", "CVE-2015-2573", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-05-26T15:04:53", "id": "SUSE-SU-2015:0946-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:40", "references": ["https://www.openssl.org/news/secadv_20150108.txt", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0206", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8275", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3569", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0205", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3572", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3570", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3571"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "1.0.1.k-1", "packageName": "openssl", "arch": "any", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "- CVE-2014-3571 (denial of service)\nA remote attacker is able to cause a denial of service (NULL pointer\ndereference and application crash) via a crafted DTLS message that is\nprocessed with a different read operation for the handshake header than\nfor the handshake body, related to the dtls1_get_record function in\nd1_pkt.c and the ssl3_read_n function in s3_pkt.c.\n\n- CVE-2015-0206 (denial of service)\nA memory leak can occur in the dtls1_buffer_record function under\ncertain conditions. In particular this could occur if an attacker sent\nrepeated DTLS records with the same sequence number but for the next\nepoch. The memory leak could be exploited by an attacker in a denial of\nservice attack through memory exhaustion.\n\n- CVE-2014-3569 (denial of service)\nThe ssl23_get_client_hello function in s23_srvr.c does not properly\nhandle attempts to use unsupported protocols, which allows remote\nattackers to cause a denial of service (NULL pointer dereference and\ndaemon crash) via an unexpected handshake, as demonstrated by an SSLv3\nhandshake to a no-ssl3 application with certain error handling.\n\n- CVE-2014-3572 (cipher downgrade)\nAn OpenSSL client will accept a handshake using an ephemeral ECDH\nciphersuite using an ECDSA certificate if the server key exchange\nmessage is omitted. This effectively removes forward secrecy from the\nciphersuite.\n\n- CVE-2015-0204 (cipher downgrade)\nThe ssl3_get_key_exchange function in s3_clnt.c allows remote SSL\nservers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate\nbrute-force decryption by offering a weak ephemeral RSA key in a\nnoncompliant role.\n\n- CVE-2015-0205 (certificate verification bypass)\nAn OpenSSL server will accept a DH certificate for client authentication\nwithout the certificate verify message. This effectively allows a client\nto authenticate without the use of a private key. This only affects\nservers which trust a client certificate authority which issues\ncertificates containing DH keys.\n\n- CVE-2014-8275 (certificate fingerprint modification)\nOpenSSL accepts several non-DER-variations of certificate signature\nalgorithm and signature encodings. OpenSSL also does not enforce a match\nbetween the signature algorithm between the signed and unsigned portions\nof the certificate. By modifying the contents of the signature algorithm\nor the encoding of the signature, it is possible to change the\ncertificate's fingerprint.\nThis does not allow an attacker to forge certificates, and does not\naffect certificate verification or OpenSSL servers/clients in any other\nway. It also does not affect common revocation mechanisms. Only custom\napplications that rely on the uniqueness of the fingerprint (e.g.\ncertificate blacklists) may be affected.\n\n- CVE-2014-3570 (bignum squaring error)\nThe BN_sqr implementation does not properly calculate the square of a\nBIGNUM value, which might make it easier for remote attackers to defeat\ncryptographic protection mechanisms via unspecified vectors, related to\ncrypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.", "reporter": "Arch Linux", "published": "2015-01-09T00:00:00", "title": "openssl: multiple issues", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "archlinux", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-01-09T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-January/000198.html", "id": "ASA-201501-2", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:10:02", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2014-3572", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-8275", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-3571", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0204", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0206", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0205", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-3570"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "1.0.1f-1ubuntu2.8", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "0.9.8k-7ubuntu8.23", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl0.9.8", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.0.1-4ubuntu5.21", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "1.0.1f-1ubuntu9.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}], "description": "Pieter Wuille discovered that OpenSSL incorrectly handled Bignum squaring. (CVE-2014-3570)\n\nMarkus Stenberg discovered that OpenSSL incorrectly handled certain crafted DTLS messages. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2014-3571)\n\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain handshakes. A remote attacker could possibly use this issue to downgrade to ECDH, removing forward secrecy from the ciphersuite. (CVE-2014-3572)\n\nAntti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that OpenSSL incorrectly handled certain certificate fingerprints. A remote attacker could possibly use this issue to trick certain applications that rely on the uniqueness of fingerprints. (CVE-2014-8275)\n\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain key exchanges. A remote attacker could possibly use this issue to downgrade the security of the session to EXPORT_RSA. (CVE-2015-0204)\n\nKarthikeyan Bhargavan discovered that OpenSSL incorrectly handled client authentication. A remote attacker could possibly use this issue to authenticate without the use of a private key in certain limited scenarios. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0205)\n\nChris Mueller discovered that OpenSSL incorrect handled memory when processing DTLS records. A remote attacker could use this issue to cause OpenSSL to consume resources, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0206)", "edition": 3, "reporter": "Ubuntu", "published": "2015-01-12T00:00:00", "title": "OpenSSL vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2015-01-12T00:00:00", "id": "USN-2459-1", "href": "https://usn.ubuntu.com/2459-1/", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "redhat": [{"lastseen": "2018-05-11T21:13:47", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i686", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-0.9.8e-33.el5_11.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i386", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-0.9.8e-33.el5_11.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "src", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "x86_64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-0.9.8e-33.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i386", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i386", "packageName": "openssl-perl", "packageFilename": "openssl-perl-0.9.8e-33.el5_11.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-0.9.8e-33.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ppc", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-0.9.8e-33.el5_11.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ppc64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-0.9.8e-33.el5_11.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ppc", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ppc64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ppc", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ppc", "packageName": "openssl-perl", "packageFilename": "openssl-perl-0.9.8e-33.el5_11.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ppc64", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "s390x", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-0.9.8e-33.el5_11.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "s390", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-0.9.8e-33.el5_11.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "s390x", "packageName": "openssl-perl", "packageFilename": "openssl-perl-0.9.8e-33.el5_11.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "s390", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "s390x", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "s390", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "s390x", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ia64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-0.9.8e-33.el5_11.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "i386", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ia64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-0.9.8e-33.el5_11.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ia64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-0.9.8e-33.el5_11.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "0.9.8e-33.el5_11", "arch": "ia64", "packageName": "openssl", "packageFilename": "openssl-0.9.8e-33.el5_11.ia64.rpm", "operator": "lt"}], "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nIt was discovered that OpenSSL would accept ephemeral RSA keys when using\nnon-export RSA cipher suites. A malicious server could make a TLS/SSL\nclient using OpenSSL use a weaker key exchange method. (CVE-2015-0204)\n\nAn integer underflow flaw, leading to a buffer overflow, was found in the\nway OpenSSL decoded malformed Base64-encoded inputs. An attacker able to\nmake an application using OpenSSL decode a specially crafted Base64-encoded\ninput (such as a PEM file) could use this flaw to cause the application to\ncrash. Note: this flaw is not exploitable via the TLS/SSL protocol because\nthe data being transferred is not Base64-encoded. (CVE-2015-0292)\n\nA denial of service flaw was found in the way OpenSSL handled SSLv2\nhandshake messages. A remote attacker could use this flaw to cause a\nTLS/SSL server using OpenSSL to exit on a failed assertion if it had both\nthe SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293)\n\nMultiple flaws were found in the way OpenSSL parsed X.509 certificates.\nAn attacker could use these flaws to modify an X.509 certificate to produce\na certificate with a different fingerprint without invalidating its\nsignature, and possibly bypass fingerprint-based blacklisting in\napplications. (CVE-2014-8275)\n\nAn out-of-bounds write flaw was found in the way OpenSSL reused certain\nASN.1 structures. A remote attacker could possibly use a specially crafted\nASN.1 structure that, when parsed by an application, would cause that\napplication to crash. (CVE-2015-0287)\n\nA NULL pointer dereference flaw was found in OpenSSL's X.509 certificate\nhandling implementation. A specially crafted X.509 certificate could cause\nan application using OpenSSL to crash if the application attempted to\nconvert the certificate to a certificate request. (CVE-2015-0288)\n\nA NULL pointer dereference was found in the way OpenSSL handled certain\nPKCS#7 inputs. An attacker able to make an application using OpenSSL\nverify, decrypt, or parse a specially crafted PKCS#7 input could cause that\napplication to crash. TLS/SSL clients and servers using OpenSSL were not\naffected by this flaw. (CVE-2015-0289)\n\nRed Hat would like to thank the OpenSSL project for reporting \nCVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and \nCVE-2015-0293. Upstream acknowledges Emilia Kasper of the OpenSSL \ndevelopment team as the original reporter of CVE-2015-0287, Brian Carpenter \nas the original reporter of CVE-2015-0288, Michal Zalewski of Google as the \noriginal reporter of CVE-2015-0289, Robert Dugal and David Ramos as the \noriginal reporters of CVE-2015-0292, and Sean Burford of Google and Emilia \nKasper of the OpenSSL development team as the original reporters of \nCVE-2015-0293.\n\nAll openssl users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. For the update to take\neffect, all services linked to the OpenSSL library must be restarted, or\nthe system rebooted.\n", "reporter": "RedHat", "published": "2015-04-13T04:00:00", "type": "redhat", "title": "(RHSA-2015:0800) Moderate: openssl security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0292", "CVE-2015-0293", "CVE-2016-0703", "CVE-2016-0704"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-05-11T23:27:23", "id": "RHSA-2015:0800", "href": "https://access.redhat.com/errata/RHSA-2015:0800", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-06-12T21:10:27", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "src", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.5.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-30.el6_6.5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "ppc", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-30.el6_6.5.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "ppc64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "ppc64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-30.el6_6.5.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "ppc64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.5.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "ppc64", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.5.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "ppc", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "ppc", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.5.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "ppc64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "s390x", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "s390", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-30.el6_6.5.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "s390x", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "s390", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "s390x", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "s390", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.5.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "s390x", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-30.el6_6.5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.5", "arch": "s390x", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "i686", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "i686", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "i686", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-34.el7_0.7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "x86_64", "packageName": "openssl-libs", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "i686", "packageName": "openssl-libs", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-34.el7_0.7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc64", "packageName": "openssl-libs", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc", "packageName": "openssl-libs", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc64", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-34.el7_0.7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "ppc64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390x", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390x", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-34.el7_0.7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390x", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-34.el7_0.7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390x", "packageName": "openssl-libs", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390x", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-34.el7_0.7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390x", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-34.el7_0.7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.1e-34.el7_0.7", "arch": "s390", "packageName": "openssl-libs", "packageFilename": "openssl-libs-1.0.1e-34.el7_0.7.s390.rpm", "operator": "lt"}], "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),\nTransport Layer Security (TLS), and Datagram Transport Layer Security\n(DTLS) protocols, as well as a full-strength, general purpose cryptography\nlibrary.\n\nA NULL pointer dereference flaw was found in the DTLS implementation of\nOpenSSL. A remote attacker could send a specially crafted DTLS message,\nwhich would cause an OpenSSL server to crash. (CVE-2014-3571)\n\nA memory leak flaw was found in the way the dtls1_buffer_record() function\nof OpenSSL parsed certain DTLS messages. A remote attacker could send\nmultiple specially crafted DTLS messages to exhaust all available memory of\na DTLS server. (CVE-2015-0206)\n\nIt was found that OpenSSL's BigNumber Squaring implementation could produce\nincorrect results under certain special conditions. This flaw could\npossibly affect certain OpenSSL library functionality, such as RSA\nblinding. Note that this issue occurred rarely and with a low probability,\nand there is currently no known way of exploiting it. (CVE-2014-3570)\n\nIt was discovered that OpenSSL would perform an ECDH key exchange with a\nnon-ephemeral key even when the ephemeral ECDH cipher suite was selected.\nA malicious server could make a TLS/SSL client using OpenSSL use a weaker\nkey exchange method than the one requested by the user. (CVE-2014-3572)\n\nIt was discovered that OpenSSL would accept ephemeral RSA keys when using\nnon-export RSA cipher suites. A malicious server could make a TLS/SSL\nclient using OpenSSL use a weaker key exchange method. (CVE-2015-0204)\n\nMultiple flaws were found in the way OpenSSL parsed X.509 certificates.\nAn attacker could use these flaws to modify an X.509 certificate to produce\na certificate with a different fingerprint without invalidating its\nsignature, and possibly bypass fingerprint-based blacklisting in\napplications. (CVE-2014-8275)\n\nIt was found that an OpenSSL server would, under certain conditions, accept\nDiffie-Hellman client certificates without the use of a private key.\nAn attacker could use a user's client certificate to authenticate as that\nuser, without needing the private key. (CVE-2015-0205)\n\nAll OpenSSL users are advised to upgrade to these updated packages, which\ncontain a backported patch to mitigate the above issues. For the update to\ntake effect, all services linked to the OpenSSL library (such as httpd and\nother SSL-enabled services) must be restarted or the system rebooted.\n", "reporter": "RedHat", "published": "2015-01-20T05:00:00", "type": "redhat", "title": "(RHSA-2015:0066) Moderate: openssl security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:35", "id": "RHSA-2015:0066", "href": "https://access.redhat.com/errata/RHSA-2015:0066", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "amazon": [{"lastseen": "2016-09-28T21:04:15", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1k-1.82.amzn1.x86_64", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "x86_64", "packageFilename": "openssl-debuginfo-1.0.1k-1.82.amzn1.x86_64", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "i686", "packageFilename": "openssl-devel-1.0.1k-1.82.amzn1.i686", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1k-1.82.amzn1.x86_64", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "i686", "packageFilename": "openssl-debuginfo-1.0.1k-1.82.amzn1.i686", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1k-1.82.amzn1.x86_64", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "i686", "packageFilename": "openssl-static-1.0.1k-1.82.amzn1.i686", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "i686", "packageFilename": "openssl-perl-1.0.1k-1.82.amzn1.i686", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "i686", "packageFilename": "openssl-1.0.1k-1.82.amzn1.i686", "packageName": "openssl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "x86_64", "packageFilename": "openssl-1.0.1k-1.82.amzn1.x86_64", "packageName": "openssl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-1.82", "arch": "src", "packageFilename": "openssl-1.0.1k-1.82.amzn1.src", "packageName": "openssl", "operator": "lt"}], "edition": 1, "description": "**Issue Overview:**\n\nOpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.\n\nThe BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.\n\nThe ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.\n\nThe ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the [CVE-2014-3568 __](<https://access.redhat.com/security/cve/CVE-2014-3568>) fix.\n\nOpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.\n\nThe ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.\n\nThe ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.\n\nMemory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.\n\n \n**Affected Packages:** \n\n\nopenssl\n\n \n**Issue Correction:** \nRun _yum update openssl_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n openssl-debuginfo-1.0.1k-1.82.amzn1.i686 \n openssl-devel-1.0.1k-1.82.amzn1.i686 \n openssl-perl-1.0.1k-1.82.amzn1.i686 \n openssl-1.0.1k-1.82.amzn1.i686 \n openssl-static-1.0.1k-1.82.amzn1.i686 \n \n src: \n openssl-1.0.1k-1.82.amzn1.src \n \n x86_64: \n openssl-devel-1.0.1k-1.82.amzn1.x86_64 \n openssl-static-1.0.1k-1.82.amzn1.x86_64 \n openssl-1.0.1k-1.82.amzn1.x86_64 \n openssl-perl-1.0.1k-1.82.amzn1.x86_64 \n openssl-debuginfo-1.0.1k-1.82.amzn1.x86_64 \n \n \n", "reporter": "Amazon", "published": "2015-01-11T12:36:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "amazon", "title": "Medium: openssl", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2014-3568", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2015-01-11T12:38:00", "id": "ALAS-2015-469", "href": "https://alas.aws.amazon.com/ALAS-2015-469.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:45", "references": ["https://www.openssl.org/news/secadv_20150108.txt"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.0.1e_3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "linux-c6-openssl", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "10.1_4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "FreeBSD", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.0.1_17", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openssl", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.0.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openssl", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.0.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "mingw32-openssl", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.0.1k", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "mingw32-openssl", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "10.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "FreeBSD", "operator": "eq"}], "description": "\nOpenSSL project reports:\n\nDTLS segmentation fault in dtls1_get_record (CVE-2014-3571)\nDTLS memory leak in dtls1_buffer_record (CVE-2015-0206)\nno-ssl3 configuration sets method to NULL (CVE-2014-3569)\nECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)\nRSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)\nDH client certificates accepted without verification [Server] (CVE-2015-0205)\nCertificate fingerprints can be modified (CVE-2014-8275)\nBignum squaring may produce incorrect results (CVE-2014-3570)\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2015-01-08T00:00:00", "title": "OpenSSL -- multiple vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2016-08-09T00:00:00", "id": "4E536C14-9791-11E4-977D-D050992ECDE8", "href": "https://vuxml.freebsd.org/freebsd/4e536c14-9791-11e4-977d-d050992ecde8.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "kaspersky": [{"lastseen": "2018-09-13T06:47:46", "references": [], "description": "### *CVSS*:\n5.0\n\n### *Detect date*:\n01/08/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in OpenSSL. Malicious users can exploit these vulnerabilities to cause denial of service or bypass security restrictions.\n\n### *Affected products*:\nOpenSSL versions earlier than 0.9.8zd \nOpenSSL 1.0.0 versions earlier than 1.0.0p \nOpenSSL 1.0.1 versions earlier than 1.0.1k\n\n### *Solution*:\nUpdate to latest version!\n\n### *Original advisories*:\n[OpenSSL bulletin](<https://www.openssl.org/news/secadv_20150108.txt>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[OpenSSl](<https://threats.kaspersky.com/en/product/OpenSSl/>)\n\n### *CVE-IDS*:\n[CVE-2014-3571](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571>) \n[CVE-2014-8275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275>) \n[CVE-2014-3569](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569>) \n[CVE-2014-3572](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572>) \n[CVE-2014-3570](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570>) \n[CVE-2015-0206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206>) \n[CVE-2015-0204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>) \n[CVE-2015-0205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205>)", "edition": 13, "reporter": "Kaspersky Lab", "published": "2015-01-08T00:00:00", "title": "\r KLA10460Multiple vulnerabilities in OpenSSL ", "type": "kaspersky", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205", "CVE-2014-3569"], "modified": "2018-09-10T00:00:00", "id": "KLA10460", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10460", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "aix": [{"lastseen": "2018-08-31T00:08:34", "aixFileset": [{"productVersions": ["any"], "versionGte": "0.9.8.401", "fileset": "openssl.base", "versionLte": "0.9.8.2504", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "12.9.8.1100", "fileset": "openssl.base", "versionLte": "12.9.8.2504", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "1.0.1.500", "fileset": "openssl.base", "versionLte": "1.0.1.513", "productName": "aix"}], "references": [], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Wed Feb 4 06:24:41 CST 2015\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssl_advisory12.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssl_advisory12.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory12.asc\n===============================================================================\n VULNERABILITY SUMMARY\n\n1. VULNERABILITY: AIX OpenSSL does not properly calculate the square of a BIGNUM \n value which makes it easier for attacker to defeat cryptographic\n protection mechanisms\n\n PLATFORMS: AIX 5.3, 6.1 and 7.1\n VIOS 2.2.*\n\n SOLUTION: Apply the fix as described below.\n\n THREAT: See below\n\n CVE Numbers: CVE-2014-3570\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n2.VULNERABILITY: AIX OpenSSL Denial of Service due to NULL pointer dereference\n while processing a DTLS message\n\n PLATFORMS: AIX 5.3, 6.1 and 7.1\n VIOS 2.2.*\n\n SOLUTION: Apply the fix as described below.\n\n THREAT: See below\n\n CVE Numbers: CVE-2014-3571\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n3. VULNERABILITY: AIX OpenSSL allows remote SSL servers to conduct ECDHE-to-ECDH\n downgrade attacks and thereby causing loss of forward secrecy\n\n PLATFORMS: AIX 5.3, 6.1 and 7.1\n VIOS 2.2.*\n\n SOLUTION: Apply the fix as described below.\n\n THREAT: See below\n\n CVE Numbers: CVE-2014-3572\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n4. VULNERABILITY: AIX OpenSSL allows remote attackers to defeat the fingerprint-based\n certificate blacklist protection mechanism\n\n PLATFORMS: AIX 5.3, 6.1 and 7.1\n VIOS 2.2.*\n\n SOLUTION: Apply the fix as described below.\n\n THREAT: See below\n\n CVE Numbers: CVE-2014-8275\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n5. VULNERABILITY: AIX OpenSSL allows remote SSL servers to conduct RSA-to-EXPORT_RSA\n downgrade attacks and thereby offering a weak ephemeral RSA key in\n a noncompliant role\n\n PLATFORMS: AIX 5.3, 6.1 and 7.1\n VIOS 2.2.*\n\n SOLUTION: Apply the fix as described below.\n\n THREAT: See below\n\n CVE Numbers: CVE-2015-0204\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n6. VULNERABILITY: AIX OpenSSL allows remote attackers to obtain access without\n knowledge of a private key on a server that recognizes a\n Certification Authority with DH support\n\n PLATFORMS: AIX 5.3, 6.1 and 7.1\n VIOS 2.2.*\n\n SOLUTION: Apply the fix as described below.\n\n THREAT: See below\n\n CVE Numbers: CVE-2015-0205\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n7. VULNERABILITY: AIX OpenSSL allows remote attackers to cause Denial of Service\n by sending many duplicate records for the next epoch, leading\n to failure of replay detection\n\n PLATFORMS: AIX 5.3, 6.1 and 7.1\n VIOS 2.2.*\n\n SOLUTION: Apply the fix as described below.\n\n THREAT: See below\n\n CVE Numbers: CVE-2015-0206\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n===============================================================================\n DETAILED INFORMATION\n\nI. DESCRIPTION \n \n 1. CVE-2014-3570\n \tOpenSSL does not properly calculate the square of a BIGNUM value, which might \n make it easier for remote attackers to defeat cryptographic protection mechanisms \n via unspecified vectors\n\n 2. CVE-2014-3571\n\t OpenSSL allows remote attackers to cause a denial of service via a crafted DTLS \n message that is processed with a different read operation for the handshake \n header than for the handshake body\n\n 3. CVE-2014-3572\n OpenSSL allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks \n and trigger loss of forward secrecy by omitting the ServerKeyExchange message.\n\n 4. CVE-2014-8275\n OpenSSL does not enforce certain constraints on certificate data, which allows \n remote attackers to defeat a fingerprint-based certificate-blacklist protection \n mechanism by including crafted data within a certificate's unsigned portion\n\n 5. CVE-2015-0204\n OpenSSL allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks \n and facilitate brute-force decryption by offering a weak ephemeral RSA key \n in a noncompliant role.\n\n 6. CVE-2015-0205\n OpenSSL accepts client authentication with a Diffie-Hellman (DH) certificate \n without requiring a CertificateVerify message, which allows remote attackers \n to obtain access without knowledge of a private key via crafted TLS Handshake \n Protocol traffic to a server that recognizes a Certification Authority \n with DH support.\n\n 7. CVE-2015-0206\n\t OpenSSL could allow remote attackers to cause a denial of service (memory \n consumption) by sending many duplicate records for the next epoch, leading \n to failure of replay detection.\n\nII. CVSS\n\n 1. CVE-2014-3570\n CVSS Base Score: 2.6\n CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/99710\n CVSS Environmental Score*: Undefined\n CVSS Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N\n\n 2. CVE-2014-3571\n CVSS Base Score: 5\n CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/99703\n CVSS Environmental Score*: Undefined\n CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P\n\n 3. CVE-2014-3572\n CVSS Base Score: 1.2\n CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/99705\n CVSS Environmental Score*: Undefined\n CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N\n\n 4. CVE-2014-8275\n CVSS Base Score: 1.2\n CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/99709\n CVSS Environmental Score*: Undefined\n CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N\n\n 5. CVE-2015-0204\n CVSS Base Score: 1.2\n CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/99707\n CVSS Environmental Score*: Undefined\n CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N\n\n 6. CVE-2015-0205\n CVSS Base Score: 2.1\n CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/99708 \n CVSS Environmental Score*: Undefined\n CVSS Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N\n\n 7. CVE-2015-0206\n CVSS Base Score: 5\n CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/99704\n CVSS Environmental Score*: Undefined\n CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P\n\n\nIII. PLATFORM VULNERABILITY ASSESSMENT\n\n To determine if your system is vulnerable, execute the following\n command:\n\n lslpp -L openssl.base\n \n The following fileset levels are vulnerable:\n \n A. CVE-2014-3572, CVE-2015-0205, CVE-2015-0206\n\n AIX Fileset Lower Level Upper Level \n ------------------------------------------\n openssl.base 1.0.1.500 1.0.1.513\n\n B. CVE-2014-3570, CVE-2014-3571, CVE-2014-8275, CVE-2015-0204\n\n AIX Fileset Lower Level Upper Level \n ------------------------------------------\n openssl.base 1.0.1.500 1.0.1.513\n openssl.base 0.9.8.401 0.9.8.2504\n openssl.base 12.9.8.1100 12.9.8.2504\n\n\tNote, 0.9.8.401 and 12.9.8.1100 are the Lowest OpenSSL version\n\tavailable in aix web download site. Even OpenSSL versions below \n\tthis are impacted\n\n\nIV. SOLUTIONS\n\n A. FIXES\n\n Fix is available. The fix can be downloaded via ftp\n from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix12.tar\n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n releases.\n\n\tNote that the tar file contains Interim fixes that are based on OpenSSL version.\n\n AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation)\n ---------------------------------------------------------------------------------\n 5.3, 6.1, 7.1 IV69033s9a.150129.epkg.Z openssl.base(1.0.1.513 version)\n 5.3, 6.1, 7.1 IV69033s9b.150129.epkg.Z openssl.base(0.9.8.2504 version)\n 5.3, 6.1, 7.1 IV69033s9c.150129.epkg.Z openssl.base(12.9.8.2504 version)\n\n VIOS Level Interim Fix (*.Z)\t Fileset Name(prereq for installation)\n -------------------------------------------------------------------------------------\n 2.2.* IV69033s9a.150129.epkg.Z openssl.base(1.0.1.513 version)\n 2.2.* IV69033s9b.150129.epkg.Z openssl.base(0.9.8.2504 version)\n 2.2.* IV69033s9c.150129.epkg.Z openssl.base(12.9.8.2504 version)\n\n\n To extract the fix from the tar file:\n\n tar xvf openssl_fix12.tar\n cd openssl_fix12\n\n Verify you have retrieved the fix intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command is the followng:\n\n openssl dgst -sha256 \t\t\t\t\t\t filename\t \n ----------------------------------------------------------------------------------------------\n \tba67b128e22ca028756100a473137b64cd8758c8182e4cda8bc3293b69cb53ba IV69033s9a.150129.epkg.Z\n 1c244927ae807d9c55dee91366ac88488a1312103a19f3017758989f91759f48 IV69033s9b.150129.epkg.Z\n\t 361e751b0ce323b57b8865fca66e90f0dc541857a04b4c67f55874b01e98fffb IV69033s9c.150129.epkg.Z\n\n\t These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n Published advisory OpenSSL signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/openssl_advisory12.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssl_advisory12.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory12.asc.sig \n\n\topenssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n \n B. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\nV. WORKAROUNDS\n \n No workarounds.\n\nVI. CONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\n\nVII. REFERENCES:\n\n Note: Keywords labeled as KEY in this document are used for parsing purposes.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/99710\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/99703\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/99705\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/99709\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/99707\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/99708 \n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/99704\n CVE-2014-3570 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570\n CVE-2014-3571 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571\n CVE-2014-3572 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572\n CVE-2014-8275 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275\n CVE-2015-0204 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204\n CVE-2015-0205 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205\n CVE-2015-0206 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n", "edition": 3, "reporter": "CentOS Project", "published": "2015-02-04T06:24:41", "title": "Multiple Security vulnerabilities in AIX OpenSSL", "type": "aix", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "aix": {"apars": []}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3572", "CVE-2015-0206", "CVE-2014-3571", "CVE-2014-8275", "CVE-2014-3570", "CVE-2015-0204", "CVE-2015-0205"], "modified": "2015-02-04T06:24:41", "id": "OPENSSL_ADVISORY12.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssl_advisory12.asc", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "cisco": [{"lastseen": "2018-08-09T17:47:59", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"], "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl"], "description": "A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass fingerprint-based certificate validation mechanisms implemented by the affected software.\n\nThe vulnerability exists due to insufficient constraints applied on certificate data by the affected software. An attacker could exploit this vulnerability by including crafted data within a certificate's unsigned portion and submitting it to be processed by the affected software. If successful, an attacker could bypass the fingerprint-based certificate-blacklist protection mechanism implemented by the affected software.\n\nA vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass security restrictions.\n\nThe vulnerability is due to improper handling of an RSA temporary key. An attacker with a privileged network position could exploit the vulnerability by returning a weak temporary RSA key to a system using an application that uses the vulnerable OpenSSL library. When processed, the insecure temporary key could result in reduced cryptographic protections, which could allow the attacker to bypass security protections.\n\nA vulnerability in OpenSSL could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.\n\nThe vulnerability is due to improper implementation of the OpenSSL build configuration. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted SSL 3.0 handshake request to the targeted client. Processing the request could cause the affected software to terminate abnormally, leading to a DoS condition.\n\nA vulnerability in OpenSSL could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper processing of network messages. An attacker could exploit this vulnerability by sending malicious network messages to a targeted system.\n\nA vulnerability in OpenSSL could allow an unauthenticated, remote attacker to conduct downgrade attacks.\n\nThe vulnerability is due to insecure implementation of ephemeral Elliptic Curve Diffie-Hellman (ECDH) ciphersuites by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by transmitting crafted handshake requests to the targeted client system. When processed, the requests could allow the attacker to downgrade the server to use the weaker encryption protocol, which could allow the attacker to obtain sensitive information from the system.\n\nAn issue in OpenSSL could result in the calculation of incorrect mathematical results.\n\nThe issue is in the BN_sql function because the function does not properly calculate the square of a BIGNUM value. An unauthenticated, remote attacker could exploit this issue using an unspecified vector. Successful exploitation could cause the software to calculate incorrect results.\n\nReports suggest that no exploits are known and straightforward bug attacks fail because the attacker cannot control when the bug triggers and no private key material is involved.\n\nMultiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:\n\n CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability\n CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability\n CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability\n CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability\n CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability\n CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability\n CVE-2014-8275: OpenSSL Certificate Fingerprint Validation Vulnerability\n CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical Results Issue\n\nCisco will release software updates that address these vulnerabilities.\n\nWorkarounds that mitigate these vulnerabilities may be available.\n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl\"]\n\nOpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to bypass certain security restrictions and access sensitive information on a targeted system.\n\nThe vulnerability is due to improper certificate verification by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by transmitting a crafted Diffie-Hellman certificate without the certificate verify message to the affected server. The processing of such certificates could allow the attacker to bypass certain security restrictions and access sensitive information on the system.\n\nOpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to an error condition that occurs when the affected software processes crafted Datagram Transport Layer Security (DTLS) packets. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted DTLS packets to an affected OpenSSL-based server. An exploit could allow the attacker to consume excessive memory resources, resulting in a DoS condition.", "reporter": "Cisco", "published": "2015-03-10T16:00:00", "type": "cisco", "title": "Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco Unity", "version": "any", "operator": "eq"}, {"name": "IOS", "version": "12.2SE", "operator": "eq"}, {"name": "IOS", "version": "12.2EX", "operator": "eq"}, {"name": "IOS", "version": "12.2EY", "operator": "eq"}, {"name": "IOS", "version": "12.2EZ", "operator": "eq"}, {"name": "IOS", "version": "12.4T", "operator": "eq"}, {"name": "IOS", "version": "12.4MD", "operator": "eq"}, {"name": "IOS", "version": "15.0M", "operator": "eq"}, {"name": "IOS", "version": "15.0XA", "operator": "eq"}, {"name": "IOS", "version": "15.1T", "operator": "eq"}, {"name": "IOS", "version": "15.1XB", "operator": "eq"}, {"name": "IOS", "version": "15.0XO", "operator": "eq"}, {"name": "IOS", "version": "15.0S", "operator": "eq"}, {"name": "IOS", "version": "15.2S", "operator": "eq"}, {"name": "IOS", "version": "15.3T", "operator": "eq"}, {"name": "IOS", "version": "15.0EY", "operator": "eq"}, {"name": "IOS", "version": "15.2T", "operator": "eq"}, {"name": "IOS", "version": "12.2WO", "operator": "eq"}, {"name": "IOS", "version": "15.1S", "operator": "eq"}, {"name": "IOS", "version": "15.1M", "operator": "eq"}, {"name": "IOS", "version": "15.0SE", "operator": "eq"}, {"name": "IOS", "version": "15.1GC", "operator": "eq"}, {"name": "IOS", "version": "15.1SG", "operator": "eq"}, {"name": "IOS", "version": "15.2M", "operator": "eq"}, {"name": "IOS", "version": "15.0SG", "operator": "eq"}, {"name": "IOS", "version": "15.0EX", "operator": "eq"}, {"name": "IOS", "version": "15.1SY", "operator": "eq"}, {"name": "IOS", "version": "15.3S", "operator": "eq"}, {"name": "IOS", "version": "15.4T", "operator": "eq"}, {"name": "IOS", "version": "12.4JAN", "operator": "eq"}, {"name": "IOS", "version": "15.2E", "operator": "eq"}, {"name": "IOS", "version": "15.1MRA", "operator": "eq"}, {"name": "IOS", "version": "15.1SVB", "operator": "eq"}, {"name": "IOS", "version": "15.2JB", "operator": "eq"}, {"name": "IOS", "version": "15.4S", "operator": "eq"}, {"name": "IOS", "version": "15.3M", "operator": "eq"}, {"name": "IOS", "version": "15.2JN", "operator": "eq"}, {"name": "IOS", "version": "15.0EZ", "operator": "eq"}, {"name": "IOS", "version": "15.2SC", "operator": "eq"}, {"name": "IOS", "version": "15.2EY", "operator": "eq"}, {"name": "IOS", "version": "15.0EJ", "operator": "eq"}, {"name": "IOS", "version": "15.2SY", "operator": "eq"}, {"name": "IOS", "version": "15.1SVF", "operator": "eq"}, {"name": "IOS", "version": "15.4M", "operator": "eq"}, {"name": "IOS", "version": "15.2SD", "operator": "eq"}, {"name": "IOS", "version": "15.2JAZ", "operator": "eq"}, {"name": "IOS", "version": "15.4CG", "operator": "eq"}, {"name": "IOS", "version": "15.5S", "operator": "eq"}, {"name": "IOS", "version": "15.1SVG", "operator": "eq"}, {"name": "IOS", "version": "15.5T", "operator": "eq"}, {"name": "IOS", "version": "15.2EA", "operator": "eq"}, {"name": "IOS", "version": "15.4SN", "operator": "eq"}, {"name": "IOS", "version": "15.3JN", "operator": "eq"}, {"name": "IOS", "version": "15.1SVH", "operator": "eq"}, {"name": "IOS", "version": "15.3JAA", "operator": "eq"}, {"name": "IOS", "version": "15.5SN", "operator": "eq"}, {"name": "IOS", "version": "15.0SQD", "operator": "eq"}, {"name": "IOS", "version": "15.1SVI", "operator": "eq"}, {"name": "IOS", "version": "15.6SP", "operator": "eq"}, {"name": "IOS", "version": "15.1SVJ", "operator": "eq"}, {"name": "IOS", "version": "15.1SVM", "operator": "eq"}, {"name": "IOS", "version": "15.1SVK", "operator": "eq"}, {"name": "IOS", "version": "15.1SVN", "operator": "eq"}, {"name": "IOS", "version": "15.1SVO", "operator": "eq"}, {"name": "IOS", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Access Registrar", "version": "any", "operator": "eq"}, {"name": "Cisco IP phone", "version": "any", "operator": "eq"}, {"name": "Cisco Emergency Responder", "version": "any", "operator": "eq"}, {"name": "Cisco MDS SAN-OS Software", "version": "any", "operator": "eq"}, {"name": "Cisco IOS XR Software", "version": "any", "operator": "eq"}, {"name": "Cisco ONS 15454 System Software", "version": "any", "operator": "eq"}, {"name": "Cisco NAC Appliance Software", "version": "any", "operator": "eq"}, {"name": "Intrusion Prevention System (IPS)", "version": "any", "operator": "eq"}, {"name": "Cisco Adaptive Security Appliance (ASA) Software", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Presence Server", "version": "any", "operator": "eq"}, {"name": "Cisco ACE Application Control Engine Module", "version": "any", "operator": "eq"}, {"name": "Cisco Wide Area Application Services (WAAS)", "version": "any", "operator": "eq"}, {"name": "Cisco Wireless LAN Controller (WLC)", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Contact Center Enterprise", "version": "any", "operator": "eq"}, {"name": "Cisco Computer Telephony Integration (CTI) Option", "version": "any", "operator": "eq"}, {"name": "Cisco IP Interoperability and Collaboration System (IPICS)", "version": "any", "operator": "eq"}, {"name": "Cisco Unity Connection", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence", "version": "any", "operator": "eq"}, {"name": "Cisco Security Manager", "version": "any", "operator": "eq"}, {"name": "Cisco NX-OS Software", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Communications Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Application Networking Manager (ANM)", "version": "any", "operator": "eq"}, {"name": "Cisco Physical Access Gateway", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Contact Center Express", "version": "any", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.4S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.1SG", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.2SG", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.5S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.6S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.7S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.2XO", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.3SG", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.8S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.9S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.2SE", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.3SE", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.3XO", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.4SG", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.5E", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.10S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.11S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.12S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.13S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.6E", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.14S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.15S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.3SQ", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.4SQ", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.7E", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.5SQ", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.2JA", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.18SP", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "16.7", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "16.10", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "16.11", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "16.12", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "16.13", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "16.14", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "16.15", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance Operations Manager Software", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance Media Server Software", "version": "any", "operator": "eq"}, {"name": "Cisco MeetingPlace Server", "version": "any", "operator": "eq"}, {"name": "Cisco Network Analysis Module (NAM) Software", "version": "any", "operator": "eq"}, {"name": "Cisco IronPort Encryption Appliance", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Connect", "version": "any", "operator": "eq"}, {"name": "Cisco Network Admission Control Guest Server", "version": "any", "operator": "eq"}, {"name": "Cisco AnyConnect Secure Mobility Client", "version": "any", "operator": "eq"}, {"name": "Cisco Show and Share", "version": "any", "operator": "eq"}, {"name": "Cisco Mobility Services Engine", "version": "any", "operator": "eq"}, {"name": "Cisco Identity Services Engine Software", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Video Communication Server (VCS)", "version": "any", "operator": "eq"}, {"name": "Cisco Virtual Security Gateway for Nexus 1000V Series Switches", "version": "any", "operator": "eq"}, {"name": "Cisco ASA CX Context-Aware Security Software", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Security Manager (PRSM)", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Data Center Network Manager (DCNM)", "version": "any", "operator": "eq"}, {"name": "Cisco ATA 187 Analog Telephone Adaptor", "version": "any", "operator": "eq"}, {"name": "Cisco Prime LAN Management Solution (LMS)", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Communications Domain Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Communications Manager IM and Presence Service", "version": "any", "operator": "eq"}, {"name": "Cisco Web Security Appliance (WSA)", "version": "any", "operator": "eq"}, {"name": "Cisco Email Security Appliance (ESA)", "version": "any", "operator": "eq"}, {"name": "Cisco Content Security Management Appliance (SMA)", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Infrastructure", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Server Software", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence MCU Software", "version": "any", "operator": "eq"}, {"name": "Cisco Connected Grid Network Management System (CG-NMS)", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber IM for Android", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Meetings Server", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Computing System Central Software", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Supervisor MSE 8050 Software", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Social", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber for Windows", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence System Software", "version": "any", "operator": "eq"}, {"name": "Cisco Enterprise Content Delivery System (ECDS)", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence TC Software", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence TE Software", "version": "any", "operator": "eq"}, {"name": "Cisco Virtualization Experience Media Engine", "version": "any", "operator": "eq"}, {"name": "Cisco Unified IP Phones 9900 Series Firmware", "version": "any", "operator": "eq"}, {"name": "Cisco Unified IP Conference Station 7937G Firmware", "version": "any", "operator": "eq"}, {"name": "Cisco ASR 5000 Series Software", "version": "any", "operator": "eq"}, {"name": "Cisco Videoscape Distribution Suite Service Broker", "version": "any", "operator": "eq"}, {"name": "Cisco Finesse", "version": "any", "operator": "eq"}, {"name": "Cisco Unified IP Phone 8945", "version": "any", "operator": "eq"}, {"name": "Cisco SocialMiner", "version": "any", "operator": "eq"}, {"name": "Cisco MediaSense", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence TX9000", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence TX1310 65", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence TX1300 47", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance 4000 Series IP Camera", "version": "any", "operator": "eq"}, {"name": "Cisco Unified SIP Proxy", "version": "any", "operator": "eq"}, {"name": "Cisco Nexus 1000V InterCloud for VMware", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Network Registrar", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence ISDN GW 3241", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Intelligence Center", "version": "any", "operator": "eq"}, {"name": "Cisco Universal Small Cell Series Firmware", "version": "any", "operator": "eq"}, {"name": "Cisco Nexus 1000V Switch", "version": "any", "operator": "eq"}, {"name": "Cisco Application Policy Infrastructure Controller (APIC)", "version": "any", "operator": "eq"}, {"name": "Cisco Expressway", "version": "any", "operator": "eq"}, {"name": "Cisco Edge 300 Series", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Optical", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Advanced Media Gateway", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Serial Gateway Series", "version": "any", "operator": "eq"}, {"name": "Cisco Prime License Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration Deployment", "version": "any", "operator": "eq"}, {"name": "Cisco Plug-in for OpenFlow", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber Video for TelePresence (Movi)", "version": "any", "operator": "eq"}, {"name": "Cisco MATE Collector", "version": "any", "operator": "eq"}, {"name": "Cisco MATE Design", "version": "any", "operator": "eq"}, {"name": "Cisco MATE Live", "version": "any", "operator": "eq"}, {"name": "Cisco Prime IP Express", "version": "any", "operator": "eq"}, {"name": "Cisco onePK All-in-One Virtual Machine", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Network Services Controller", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence ISDN Link", "version": "any", "operator": "eq"}, {"name": "Cisco Telepresence Conductor", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance 3000 Series IP Cameras", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance 6000 Series IP Cameras", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance 7000 Series IP Cameras", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance PTZ IP Cameras", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Meetings for Android", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Meetings for Windows Phone 8", "version": "any", "operator": "eq"}, {"name": "Cisco Unified IP Phone 8900 Series", "version": "any", "operator": "eq"}, {"name": "Cisco FireSIGHT System Software", "version": "any", "operator": "eq"}, {"name": "UCS B-Series Blade Server Software", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration Assurance", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration Provisioning", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber Software Development Kit", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber for Mac", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber for iOS", "version": "any", "operator": "eq"}, {"name": "Cisco Packet Tracer", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Network", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Performance Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Agent Desktop", "version": "any", "operator": "eq"}, {"name": "Cisco DX Series IP Phones", "version": "any", "operator": "eq"}, {"name": "Cisco Paging Server", "version": "any", "operator": "eq"}, {"name": "Cisco SPA112 2-Port Phone Adapter", "version": "any", "operator": "eq"}, {"name": "Cisco SPA122 ATA with Router", "version": "any", "operator": "eq"}, {"name": "Cisco SPA232D Multi-Line DECT ATA", "version": "any", "operator": "eq"}, {"name": "Cisco Unified 7800 Series IP Phones", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Attendant Console", "version": "any", "operator": "eq"}, {"name": "Cisco AnyRes Live", "version": "any", "operator": "eq"}, {"name": "Cisco D9036 Modular Encoding Platform", "version": "any", "operator": "eq"}, {"name": "Cisco Model D9485 DAVIC QPSK Mod / Demod", "version": "any", "operator": "eq"}, {"name": "Cisco Videoscape Control Suite", "version": "any", "operator": "eq"}, {"name": "Cisco Unified IP Phone 7900 Series", "version": "any", "operator": "eq"}, {"name": "Cisco Unified IP Phone 6900 Series", "version": "any", "operator": "eq"}, {"name": "Cisco Nexus 3000 Series Switch", "version": "any", "operator": "eq"}, {"name": "Cisco Hosted Collaboration Mediation Fulfillment", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2015-11-13T15:34:23", "id": "CISCO-SA-20150310-SSL", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "oracle": [{"lastseen": "2018-08-31T04:14:01", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 98 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-04-14T00:00:00", "title": "Oracle Critical Patch Update - April 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebCenter Sites", "version": "7.6.2", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Technology", "version": "9.1", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Oracle VM Server for SPARC", "version": "3.2", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "3.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.3", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Java VM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.10", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.0.6", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.3", "operator": "le"}, {"name": "Cisco MDS Fiber Channel Switch", "version": "5.2", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "7u76", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.x", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0IN", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Java SE, JRockit", "version": "5.0u81", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.6", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.0", "operator": "le"}, {"name": "Oracle GoldenGate Monitor", "version": "11.1.2.1.0", "operator": "le"}, {"name": "Oracle iPlanet Web Proxy Server", "version": "4.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "6u91", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Java SE, JRockit", "version": "28.3.5", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.1", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Health Sciences Argus Safety", "version": "8.0", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Strategic Sourcing", "version": "9.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.3", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Application Management Pack for Oracle E-Business Suite", "version": "121020", "operator": "le"}, {"name": "Java SE", "version": "5.0u81", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u91", "operator": "le"}, {"name": "SQL Trace Analyzer", "version": "12.1.11", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Utilities", "version": "1.5.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "11.5.10.2", "operator": "le"}, {"name": "Application Management Pack for Oracle E-Business Suite", "version": "121030", "operator": "le"}, {"name": "Oracle Hyperion Smart View for Office", "version": "11.1.2.5.216", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "8u40", "operator": "le"}, {"name": "Java SE", "version": "7u76", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "9.4", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.1", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.18", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.23", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "1.x", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.16", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.6.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Oracle Knowledge", "version": "8.2.3.10.1", "operator": "le"}, {"name": "Oracle VM Server for SPARC", "version": "3.1", "operator": "le"}, {"name": "Solaris", "version": "11.2", "operator": "le"}, {"name": "Java SE", "version": "8u40", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Strategic Sourcing", "version": "9.2", "operator": "le"}, {"name": "Cisco MDS Fiber Channel Switch", "version": "6.2", "operator": "le"}, {"name": "Oracle Installed Base", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "8u40", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "6.1", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.4.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.42", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.0.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.22", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Knowledge", "version": "8.4.7.2", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "MySQL Connectors", "version": "5.1.34", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Java SE", "version": "6u91", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "2.2.76", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "5.0u81", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "11.5.10", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.19", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.41", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.0", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.x", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.x", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u76", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "PeopleSoft Enterprise Portal Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2015-2576", "CVE-2015-0489", "CVE-2015-0466", "CVE-2015-0473", "CVE-2015-0455", "CVE-2015-0484", "CVE-2014-3566", "CVE-2015-0504", "CVE-2015-0482", "CVE-2015-0235", "CVE-2015-0493", "CVE-2015-0463", "CVE-2015-2579", "CVE-2015-0474", "CVE-2015-0492", "CVE-2014-7809", "CVE-2015-0495", "CVE-2015-0440", "CVE-2015-2567", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-0502", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2568", "CVE-2015-0506", "CVE-2015-2575", "CVE-2015-0447", "CVE-2014-3571", "CVE-2015-0476", "CVE-2015-0511", "CVE-2015-0458", "CVE-2015-0483", "CVE-2014-0116", "CVE-2015-0487", "CVE-2015-0453", "CVE-2015-2572", "CVE-2015-0490", "CVE-2015-2574", "CVE-2015-0510", "CVE-2015-0497", "CVE-2015-0501", "CVE-2015-0450", "CVE-2015-0439", "CVE-2015-0448", "CVE-2015-0472", "CVE-2015-0462", "CVE-2015-0459", "CVE-2015-0507", "CVE-2015-2571", "CVE-2015-0475", "CVE-2014-8275", "CVE-2015-2570", "CVE-2014-3570", "CVE-2015-0509", "CVE-2015-0494", "CVE-2015-0461", "CVE-2015-0503", "CVE-2015-0449", "CVE-2014-0050", "CVE-2015-0500", "CVE-2015-0405", "CVE-2013-4286", "CVE-2015-0451", "CVE-2015-2577", "CVE-2014-1568", "CVE-2015-0478", "CVE-2015-2565", "CVE-2015-0496", "CVE-2015-0204", "CVE-2014-0094", "CVE-2015-2578", "CVE-2015-2566", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0471", "CVE-2015-0423", "CVE-2015-0498", "CVE-2014-0113", "CVE-2015-0438", "CVE-2015-0480", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0486", "CVE-2015-0452", "CVE-2014-0112", "CVE-2015-0508", "CVE-2015-0457", "CVE-2015-0505", "CVE-2015-0465", "CVE-2015-0479", "CVE-2015-2573", "CVE-2015-0205", "CVE-2015-0485", "CVE-2014-3569", "CVE-2015-0464", "CVE-2015-0491", "CVE-2015-0456", "CVE-2013-4545"], "modified": "2015-05-20T00:00:00", "id": "ORACLE:CPUAPR2015-2365600", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:14:03", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 193 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\n** Please note that on May 15, 2015, Oracle released [Security Alert for CVE-2015-3456 (QEMU \"Venom\")](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-3456. **\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-07-14T00:00:00", "title": "Oracle Critical Patch Update - July 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebCenter Portal", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Siebel Apps - E-Billing", "version": "6.1", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "8u33", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.6", "operator": "le"}, {"name": "Oracle VM Server for SPARC", "version": "3.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Hyperion Enterprise Performance Management Architect", "version": "11.1.2.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "8u33", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "3.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.3", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2260", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.3", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Java VM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "7u80", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.4", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "12.1.0.7", "operator": "le"}, {"name": "Sun Blade 6000 Ethernet Switched NEM 24P 10GE", "version": "1.2.2", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "2.2.80", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Event Processing", "version": "11.1.1.7", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "12.1.0.2", "operator": "le"}, {"name": "Data Store", "version": "11.2.5.2.42", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "10.3", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "7u75", "operator": "le"}, {"name": "PeopleSoft Enteprise Portal - Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.40", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Candidate Gateway", "version": "9.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.32", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.1.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iPlanet Web Proxy Server", "version": "4.0", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "12.1.0.6", "operator": "le"}, {"name": "Oracle Marketing", "version": "11.5.10.2", "operator": "le"}, {"name": "Sun Ray Software", "version": "5.4.4", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u33", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "6u95", "operator": "le"}, {"name": "Oracle OLAP", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.32", "operator": "le"}, {"name": "Technology stack", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "3.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Switch ES1-24", "version": "1.3.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.1.1", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.1.2", "operator": "le"}, {"name": "Hyperion Common Security", "version": "11.1.2.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "RDBMS Support Tools", "version": "12.1.0.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u80", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2", "operator": "le"}, {"name": "Oracle Application Express", "version": "4.2.3.00.08", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2.2", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Sun Network 10GE Switch 72p", "version": "1.2.2", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.2.2", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "11.1.1.3.0", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.1.3", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle Application Express", "version": "5.0", "operator": "le"}, {"name": "RDBMS Support Tools", "version": "12.1.0.2", "operator": "le"}, {"name": "Siebel Core - Server OM Svcs", "version": "8.1.1", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "8u45", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "11.2.0.3", "operator": "le"}, {"name": "Hyperion Enterprise Performance Management Architect", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Data Store", "version": "11.2.5.3.28", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.22", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0", "operator": "le"}, {"name": "Hyperion Common Security", "version": "11.1.2.3", "operator": "le"}, {"name": "Technology stack", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.23", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.24", "operator": "le"}, {"name": "RDBMS Support Tools", "version": "11.2.0.4", "operator": "le"}, {"name": "Technology stack", "version": "12.1.3", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.0", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.6.1", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.7.0", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "11.1.0.7", "operator": "le"}, {"name": "Java SE", "version": "7u80", "operator": "le"}, {"name": "Java SE", "version": "8u45", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.2.0.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Hyperion Common Security", "version": "11.1.2.4", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1120", "operator": "le"}, {"name": "Solaris", "version": "11.2", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "11.1.1.2.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Talent Acquisition Manager", "version": "9.1", "operator": "le"}, {"name": "Oracle Agile PLM Framework", "version": "9.3.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.3", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64", "version": "1.9.1.2", "operator": "le"}, {"name": "RDBMS Security", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.30", "operator": "le"}, {"name": "Siebel Core - Server OM Svcs", "version": "15.0", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Communications Session Border Controller", "version": "7.2.0m4", "operator": "le"}, {"name": "Siebel Core - Server OM Svcs", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "6.1", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "7u75", "operator": "le"}, {"name": "Siebel Apps - E-Billing", "version": "6.1.1", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "9.4.2e", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.42", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u75", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "7u80", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "28.3.6", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u95", "operator": "le"}, {"name": "Siebel UI Framework", "version": "15.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.22", "operator": "le"}, {"name": "Oracle Event Processing", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.0.3", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "7.0", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Data Store", "version": "11.2.5.1.29", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "6u95", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "8.7.2.b", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u45", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "12.1.1.0", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "3.1", "operator": "le"}, {"name": "Siebel Apps - E-Billing", "version": "6.2", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Oracle Application Express", "version": "4.2.1", "operator": "le"}, {"name": "Data Store", "version": "12.1.6.0.35", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "12.1.0.2", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Web Cache", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.0.0.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "8u45", "operator": "le"}, {"name": "Oracle OLAP", "version": "12.1.0.1", "operator": "le"}, {"name": "RDBMS Support Tools", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.1.2", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "Hyperion Essbase", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.1.5", "operator": "le"}, {"name": "Java SE", "version": "6u95", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.43", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.0.2", "operator": "le"}, {"name": "Hyperion Essbase", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.1", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Talent Acquisition Manager", "version": "9.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Candidate Gateway", "version": "9.2", "operator": "le"}], "cvelist": ["CVE-2015-1926", "CVE-2015-1802", "CVE-2015-4000", "CVE-2015-2591", "CVE-2015-0443", "CVE-2015-1803", "CVE-2015-4771", "CVE-2015-2627", "CVE-2015-2615", "CVE-2014-3566", "CVE-2015-4764", "CVE-2015-4774", "CVE-2015-2601", "CVE-2015-4738", "CVE-2014-8098", "CVE-2015-0235", "CVE-2015-4729", "CVE-2015-1804", "CVE-2015-4751", "CVE-2015-0444", "CVE-2015-0445", "CVE-2015-4749", "CVE-2014-8092", "CVE-2015-4758", "CVE-2014-7809", "CVE-2015-2643", "CVE-2015-4770", "CVE-2015-4747", "CVE-2015-2661", "CVE-2015-4778", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-2617", "CVE-2015-4784", "CVE-2015-2664", "CVE-2015-2605", "CVE-2015-2597", "CVE-2015-4785", "CVE-2015-4732", "CVE-2015-2653", "CVE-2014-3572", "CVE-2014-3613", "CVE-2015-0206", "CVE-2014-0227", "CVE-2015-2595", "CVE-2015-4782", "CVE-2015-0286", "CVE-2015-3244", "CVE-2015-2648", "CVE-2015-2657", "CVE-2014-0230", "CVE-2014-8100", "CVE-2015-4789", "CVE-2015-2581", "CVE-2015-2613", "CVE-2015-2658", "CVE-2014-3571", "CVE-2015-4736", "CVE-2015-2599", "CVE-2013-2251", "CVE-2013-5704", "CVE-2015-4739", "CVE-2015-0288", "CVE-2015-4790", "CVE-2013-6422", "CVE-2015-2589", "CVE-2010-1324", "CVE-2015-2623", "CVE-2015-2631", "CVE-2010-4020", "CVE-2015-2596", "CVE-2015-4763", "CVE-2015-0285", "CVE-2015-4783", "CVE-2015-2620", "CVE-2015-2650", "CVE-2011-3389", "CVE-2015-2654", "CVE-2015-0207", "CVE-2015-2607", "CVE-2015-2639", "CVE-2015-2611", "CVE-2015-2645", "CVE-2015-2634", "CVE-2015-2594", "CVE-2014-8275", "CVE-2015-3456", "CVE-2015-0467", "CVE-2015-2584", "CVE-2015-0208", "CVE-2015-2808", "CVE-2013-0249", "CVE-2014-3570", "CVE-2015-2590", "CVE-2015-2656", "CVE-2015-2626", "CVE-2015-2628", "CVE-2015-4768", "CVE-2015-4761", "CVE-2015-4745", "CVE-2015-4750", "CVE-2014-0139", "CVE-2015-2635", "CVE-2015-4756", "CVE-2015-2647", "CVE-2014-3707", "CVE-2015-0293", "CVE-2015-2600", "CVE-2015-2580", "CVE-2014-8097", "CVE-2014-8101", "CVE-2015-2640", "CVE-2015-4733", "CVE-2015-2646", "CVE-2014-1568", "CVE-2015-2651", "CVE-2015-2603", "CVE-2014-8091", "CVE-2015-4765", "CVE-2015-2660", "CVE-2015-2604", "CVE-2015-0255", "CVE-2015-4772", "CVE-2015-2662", "CVE-2015-4735", "CVE-2015-0468", "CVE-2015-4779", "CVE-2015-0209", "CVE-2015-2585", "CVE-2013-2186", "CVE-2014-3567", "CVE-2015-2614", "CVE-2014-0015", "CVE-2015-4737", "CVE-2015-4776", "CVE-2015-4757", "CVE-2015-4728", "CVE-2015-2637", "CVE-2015-2606", "CVE-2015-4769", "CVE-2015-0204", "CVE-2015-2621", "CVE-2015-4786", "CVE-2015-4787", "CVE-2015-2638", "CVE-2015-4740", "CVE-2015-2619", "CVE-2015-4731", "CVE-2014-8095", "CVE-2015-4727", "CVE-2015-4741", "CVE-2015-2636", "CVE-2015-2659", "CVE-2015-2655", "CVE-2015-4775", "CVE-2015-4773", "CVE-2014-8102", "CVE-2015-0291", "CVE-2015-4746", "CVE-2015-2629", "CVE-2014-8096", "CVE-2015-4788", "CVE-2015-4755", "CVE-2015-2602", "CVE-2015-4748", "CVE-2015-0287", "CVE-2015-2622", "CVE-2015-2610", "CVE-2012-0036", "CVE-2013-2174", "CVE-2015-2663", "CVE-2015-4742", "CVE-2014-8093", "CVE-2015-0289", "CVE-2015-2652", "CVE-2015-4759", "CVE-2015-0446", "CVE-2015-0292", "CVE-2015-2582", "CVE-2015-4780", "CVE-2014-1569", "CVE-2015-4781", "CVE-2015-2618", "CVE-2015-2641", "CVE-2015-2593", "CVE-2015-4744", "CVE-2015-2598", "CVE-2014-0138", "CVE-2015-2587", "CVE-2015-2630", "CVE-2015-2592", "CVE-2015-4767", "CVE-2015-0290", "CVE-2015-2616", "CVE-2015-0205", "CVE-2015-2624", "CVE-2015-2609", "CVE-2015-4777", "CVE-2010-1323", "CVE-2015-1787", "CVE-2015-4754", "CVE-2014-3569", "CVE-2015-2588", "CVE-2015-4760", "CVE-2015-2583", "CVE-2015-4743", "CVE-2013-4545", "CVE-2015-4752", "CVE-2015-2586", "CVE-2015-4753", "CVE-2015-2649", "CVE-2015-2612", "CVE-2015-2644"], "modified": "2016-07-07T00:00:00", "id": "ORACLE:CPUJUL2015-2367936", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:56", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 153 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-10-20T00:00:00", "title": "Oracle Critical Patch Update - October 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Access Manager", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "7.6.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Database Scheduler", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Retail Open Commerce Platform", "version": "3.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "2.2.85", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Java SE", "version": "6u101", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.6.1.0.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Mobile Server", "version": "12.1.0.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Utilities Work and Asset Management", "version": "1.9.1.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2015", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "4.1.6", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "6.0.2", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2014", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u51", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "2.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.2", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.0.6", "operator": "le"}, {"name": "Mobile Server", "version": "11.3.0.2", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.20", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "8.1", "operator": "le"}, {"name": "Java SE", "version": "8u60", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0IN", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.4.0.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "14.0.", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u101", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "12.1.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.30", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.0.6", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.8", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2.3", "operator": "le"}, {"name": "Oracle Communications LSMS", "version": "13.1", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "5.1.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.5.1.1", "operator": "le"}, {"name": "RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Portable Clusterware", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Payments", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "10.5.0", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.4", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.0", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "9.9.0", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.44", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "10.1.5", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.2.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "7.1.0", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "2.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "28.3.7", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.38", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.42", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.34", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u60", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.32", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Payments", "version": "12.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Talent Acquistion Managment", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "12.0IN", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.23", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.24", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.25", "operator": "le"}, {"name": "Portable Clusterware", "version": "12.1.0.1", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.34", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "2.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.6.1", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2271", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "11.1.1.7.4", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "8.0", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u60", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.2.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise FIN Expenses", "version": "9.2", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "10.1.3.5.1", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "9.0", "operator": "le"}, {"name": "Solaris", "version": "11.2", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.0", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.1", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.2.4", "operator": "le"}, {"name": "RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "OSS Support Tools", "version": "8.8.15.7.15", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.30", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0.", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Database Scheduler", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.0", "operator": "le"}, {"name": "Mobile Server", "version": "10.3.0.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.45", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u101", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.20", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "12.0", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.20", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.1", "operator": "le"}, {"name": "Oracle Mobile Security Suite", "version": "3.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Portable Clusterware", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0.", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Database Scheduler", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.4", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "12.0IN", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.22", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "11.5.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.26", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u51", "operator": "le"}, {"name": "Oracle Communications Convergence", "version": "2.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u85", "operator": "le"}, {"name": "Oracle Communications Convergence", "version": "3.0.1", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.26", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "12.0", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.2", "operator": "le"}, {"name": "Oracle Payments", "version": "11.5.10.2", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.43", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "10.1.3.5", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "8u60", "operator": "le"}, {"name": "Java SE", "version": "7u85", "operator": "le"}, {"name": "Oracle Communications Tekelec HLR Router", "version": "4.0.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Hyperion Installation Technology", "version": "11.1.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u85", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "9.0.3", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Report Manager", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.9", "operator": "le"}], "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-1792", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2014-7923", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-3236", "CVE-2015-4868", "CVE-2014-3572", "CVE-2015-0206", "CVE-1999-0377", "CVE-2015-1789", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2014-8150", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-2522", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2015-0288", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-0285", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-3153", "CVE-2015-0207", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2014-8275", "CVE-2015-4869", "CVE-2015-0208", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2014-3570", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2014-8147", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2014-3707", "CVE-2015-4912", "CVE-2015-0293", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-1788", "CVE-2015-2633", "CVE-2015-4807", "CVE-2014-8146", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-0209", "CVE-2015-3183", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-0204", "CVE-2014-7926", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-1790", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-0291", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4854", "CVE-2015-0287", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-0289", "CVE-2015-4916", "CVE-2015-4826", "CVE-2015-0292", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-0290", "CVE-2015-0205", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-1787", "CVE-2014-3569", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "modified": "2016-09-29T00:00:00", "id": "ORACLE:CPUOCT2015-2367953", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:41", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 276 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "edition": 3, "reporter": "Oracle", "published": "2016-07-19T00:00:00", "title": "Oracle Critical Patch Update - July 2016", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Sun Data Center InfiniBand Switch 36", "version": "2.2.2", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Internet Expenses", "version": "12.2.5", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Enterprise Manager for Fusion Middleware", "version": "11.1.1.9", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u115", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.2", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Sun Network 10GE Switch 72p", "version": "1.2", "operator": "le"}, {"name": "Oracle E-Business Suite Secure Enterprise Search", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Policy Automation Connector for Siebel", "version": "10.4.6", "operator": "le"}, {"name": "Oracle Banking Platform", "version": "2.4.0", "operator": "le"}, {"name": "Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.22", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.4", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.5.0", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "8.1.1", "operator": "le"}, {"name": "Oracle In-Memory Policy Analytics", "version": "12.0.1", "operator": "le"}, {"name": "Oracle Advanced Collections", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Policy Automation Connector for Siebel", "version": "10.4.0", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.3.0.1.0", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "12.0", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2015", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.3", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.6.0", "operator": "le"}, {"name": "JDBC", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.2.0.2.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.0", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2014", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Policy Automation for Mobile Devices", "version": "12.1.1", "operator": "le"}, {"name": "Java SE", "version": "8u92", "operator": "le"}, {"name": "Oracle Retail Central, Back Office, Returns Management", "version": "13.4", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Utilities Network Management System", "version": "1.12.0.1.16", "operator": "le"}, {"name": "Oracle Retail Integration Bus", "version": "15.0", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "6.3", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1121", "operator": "le"}, {"name": "Oracle Retail Integration Bus", "version": "13.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.29", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.2", "operator": "le"}, {"name": "Primavera Contract Management", "version": "14.2", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "15.2", "operator": "le"}, {"name": "Oracle Utilities Network Management System", "version": "1.10.0.6.27", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.0", "operator": "le"}, {"name": "Java SE", "version": "7u101", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.x", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2320", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.11", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "15.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Advanced Collections", "version": "12.1.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u92", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.4.5", "operator": "le"}, {"name": "JDBC", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.2", "operator": "le"}, {"name": "Oracle Communications Core Session Manager", "version": "7.3.5", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "4.1", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.30", "operator": "le"}, {"name": "Oracle Retail Integration Bus", "version": "13.2", "operator": "le"}, {"name": "Oracle Retail Integration Bus", "version": "14.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.26", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.0.1.0", "operator": "le"}, {"name": "Oracle Internet Expenses", "version": "12.1.1", "operator": "le"}, {"name": "Siebel UI Framework", "version": "2015", "operator": "le"}, {"name": "Oracle Retail Central, Back Office, Returns Management", "version": "12.0", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.3.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "5.1", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Engineering - Installer and Deployment", "version": "2015", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.3", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.0", "operator": "le"}, {"name": "Oracle Application Express", "version": "5.0.4", "operator": "le"}, {"name": "Siebel Engineering - Installer and Deployment", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.0.2.0", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Banking Platform", "version": "2.5.0", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Insurance Policy Administration J2EE", "version": "9.6.1", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Advanced Collections", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Communications EAGLE Application Processor", "version": "16.0", "operator": "le"}, {"name": "Oracle Utilities Network Management System", "version": "1.11.0.4.41", "operator": "le"}, {"name": "Oracle Retail Service Backbone", "version": "13.1", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "4.0.1", "operator": "le"}, {"name": "RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Insurance Rules Palette", "version": "9.7.1", "operator": "le"}, {"name": "Portable Clusterware", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle Retail Service Backbone", "version": "15.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.3", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2280", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u115", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.5", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Retail Integration Bus", "version": "13.1", "operator": "le"}, {"name": "Oracle Banking Platform", "version": "2.3.0", "operator": "le"}, {"name": "Oracle Internet Expenses", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Retail Central, Back Office, Returns Management", "version": "14.1", "operator": "le"}, {"name": "Oracle Internet Expenses", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Communications ASAP", "version": "7.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.49", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.0", "operator": "le"}, {"name": "Oracle TopLink", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Retail Central, Back Office, Returns Management", "version": "13.2", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.2.0.3.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.2.1.0.0", "operator": "le"}, {"name": "Oracle Knowledge", "version": "8.5.x", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Insurance Rules Palette", "version": "10.1.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Oracle Advanced Inbound Telephony", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Insurance Rules Palette", "version": "10.0.1", "operator": "le"}, {"name": "Enterprise Manager for Fusion Middleware", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.4", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.3", "operator": "le"}, {"name": "Siebel Engineering - Installer and Deployment", "version": "2016", "operator": "le"}, {"name": "Oracle Retail Service Backbone", "version": "13.0", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "15.1", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "3.0.0", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.4.0", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.1.0.1.0", "operator": "le"}, {"name": "Oracle Financial Services Lending and Leasing", "version": "14.1", "operator": "le"}, {"name": "Oracle Policy Automation Connector for Siebel", "version": "10.4.5", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Retail Service Backbone", "version": "14.0", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "9.9.2", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.4.4", "operator": "le"}, {"name": "Data Pump Import", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Policy Automation Connector for Siebel", "version": "10.3.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.7.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.4", "operator": "le"}, {"name": "Database Vault", "version": "11.2.0.4", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.4", "operator": "le"}, {"name": "Oracle E-Business Suite Secure Enterprise Search", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u92", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.3.0.2.0", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.0.1", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.1", "operator": "le"}, {"name": "Oracle Advanced Inbound Telephony", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "4.4.1.5.0", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Insurance Policy Administration J2EE", "version": "10.2.0", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Enterprise Communications Broker", "version": "2.0.0m4p1", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "1.x", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.4", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.2", "operator": "le"}, {"name": "Oracle Health Sciences Clinical Development Center", "version": "3.1.1.x", "operator": "le"}, {"name": "Oracle Policy Automation Connector for Siebel", "version": "10.4.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Direct Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Insurance Calculation Engine", "version": "9.7.1", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2016", "operator": "le"}, {"name": "Outside In Technology", "version": "8.5.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.3", "operator": "le"}, {"name": "Oracle FLEXCUBE Direct Banking", "version": "12.0.3", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "16.1", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "8.0", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "2016", "operator": "le"}, {"name": "Oracle Communications Session Border Controller", "version": "7.2.0", "operator": "le"}, {"name": "Oracle Utilities Work and Asset Management", "version": "1.9.1.2.8", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle Financial Services Lending and Leasing", "version": "14.2", "operator": "le"}, {"name": "Java SE", "version": "6u115", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.1.0.0", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "5.2", "operator": "le"}, {"name": "Oracle Health Sciences Information Manager", "version": "3.0.1.0", "operator": "le"}, {"name": "Oracle Internet Expenses", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle Insurance Rules Palette", "version": "9.6.1", "operator": "le"}, {"name": "Oracle Access Manager", "version": "10.1.4.x", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.4.6", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.1.0.2.0", "operator": "le"}, {"name": "RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Unified Session Manager", "version": "7.3.5", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.1", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "2.2.0.0.0", "operator": "le"}, {"name": "Oracle Banking Platform", "version": "2.4.1", "operator": "le"}, {"name": "Oracle Policy Automation Connector for Siebel", "version": "10.4.3", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.3.1", "operator": "le"}, {"name": "Oracle Switch ES1-24", "version": "1.3", "operator": "le"}, {"name": "Siebel Engineering - Installer and Deployment", "version": "2014", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "2015", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1.1", "operator": "le"}, {"name": "DB Sharding", "version": "12.1.0.2", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "12.2.1.0.0", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Communications Core Session Manager", "version": "7.2.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.10", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.2.0.1.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.45", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.5", "operator": "le"}, {"name": "Oracle Insurance Policy Administration J2EE", "version": "10.2.2", "operator": "le"}, {"name": "JDBC", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.1", "operator": "le"}, {"name": "Oracle Insurance Calculation Engine", "version": "10.1.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle Policy Automation Connector for Siebel", "version": "10.4.2", "operator": "le"}, {"name": "Oracle E-Business Suite Secure Enterprise Search", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Insurance Policy Administration J2EE", "version": "10.0.1", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.5", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "2014", "operator": "le"}, {"name": "Oracle Insurance Rules Palette", "version": "10.2.2", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Central, Back Office, Returns Management", "version": "13.1", "operator": "le"}, {"name": "Portable Clusterware", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Utilities Network Management System", "version": "1.11.0.5.4", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "7.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.12", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Insurance Rules Palette", "version": "10.2.0", "operator": "le"}, {"name": "Database Vault", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.4.1", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.2.0.0", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.3", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Outside In Technology", "version": "8.5.2", "operator": "le"}, {"name": "Oracle TopLink", "version": "12.2.1.1", "operator": "le"}, {"name": "Oracle Insurance Policy Administration J2EE", "version": "9.7.1", "operator": "le"}, {"name": "Hyperion Financial Reporting", "version": "11.1.2.4", "operator": "le"}, {"name": "Oracle Health Sciences Clinical Development Center", "version": "3.1.2.x", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Communications Unified Session Manager", "version": "7.2.5", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "2.0.12", "operator": "le"}, {"name": "Oracle Retail Service Backbone", "version": "14.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.1", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.4.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Retail Central, Back Office, Returns Management", "version": "14.0", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "10.4.3", "operator": "le"}, {"name": "Oracle TopLink", "version": "12.2.1.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "13.1.0.0", "operator": "le"}, {"name": "Oracle Retail Central, Back Office, Returns Management", "version": "13.3", "operator": "le"}, {"name": "Oracle Communications Operations Monitor", "version": "3.3.92.0.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.26", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "8.2.2", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Integration Bus", "version": "14.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8", "operator": "le"}, {"name": "Oracle Documaker", "version": "12.5", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "ILOM", "version": "3.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Healthcare Analytics Data Integration", "version": "3.1.0.0.0", "operator": "le"}, {"name": "Database Vault", "version": "12.1.0.2", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.2.0.5", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "Sun Network QDR InfiniBand Gateway Switch", "version": "2.2.2", "operator": "le"}, {"name": "Oracle Internet Expenses", "version": "12.1.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.3.2", "operator": "le"}, {"name": "Oracle Communications ASAP", "version": "7.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "2016", "operator": "le"}, {"name": "Oracle E-Business Suite Secure Enterprise Search", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Engineering - Installer and Deployment", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Policy Automation Connector for Siebel", "version": "10.4.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u101", "operator": "le"}, {"name": "ILOM", "version": "3.2", "operator": "le"}, {"name": "Oracle Utilities Network Management System", "version": "1.12.0.2.12.", "operator": "le"}, {"name": "Data Pump Import", "version": "12.1.0.1", "operator": "le"}, {"name": "Sun Blade 6000 Ethernet Switched NEM 24P 10GE", "version": "1.2", "operator": "le"}, {"name": "Data Pump Import", "version": "12.1.0.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.48", "operator": "le"}, {"name": "Oracle Advanced Inbound Telephony", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Insurance Calculation Engine", "version": "10.2.2", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Direct Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5.37.0", "operator": "le"}, {"name": "40G 10G 72/64 Ethernet Switch", "version": "2.0.0", "operator": "le"}, {"name": "ILOM", "version": "3.1", "operator": "le"}, {"name": "Oracle Health Sciences Information Manager", "version": "2.0.2.3", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.1", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Policy Automation", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Insurance Policy Administration J2EE", "version": "10.1.2", "operator": "le"}, {"name": "Oracle Health Sciences Information Manager", "version": "1.2.8.3", "operator": "le"}, {"name": "Oracle Portal", "version": "11.1.1.6", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Solaris", "version": "11.3", "operator": "le"}, {"name": "Oracle Communications ASAP", "version": "7.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u101", "operator": "le"}, {"name": "Oracle Communications Session Border Controller", "version": "7.3.0", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Retail Service Backbone", "version": "13.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "2014", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.9", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2015-5600", "CVE-2016-5465", "CVE-2015-4000", "CVE-2016-3446", "CVE-2016-3508", "CVE-2016-3547", "CVE-2016-3529", "CVE-2016-5452", "CVE-2016-5445", "CVE-2016-1548", "CVE-2016-2518", "CVE-2016-3485", "CVE-2016-3444", "CVE-2015-1792", "CVE-2014-3566", "CVE-2016-3552", "CVE-2015-0235", "CVE-2016-3615", "CVE-2015-1793", "CVE-2016-3491", "CVE-2016-3553", "CVE-2016-3477", "CVE-2016-3613", "CVE-2016-5477", "CVE-2016-3488", "CVE-2015-3197", "CVE-2016-3592", "CVE-2016-3573", "CVE-2016-3494", "CVE-2016-5466", "CVE-2016-5019", "CVE-2015-3236", "CVE-2016-3544", "CVE-2014-3572", "CVE-2016-0705", "CVE-2016-3545", "CVE-2016-3611", "CVE-2015-7181", "CVE-2015-0206", "CVE-2015-1789", "CVE-2016-3597", "CVE-2016-3598", "CVE-2016-5455", "CVE-2016-3574", "CVE-2015-8138", "CVE-2016-3500", "CVE-2016-5472", "CVE-2016-4051", "CVE-2016-3445", "CVE-2016-5454", "CVE-2016-3554", "CVE-2016-5458", "CVE-2015-3195", "CVE-2016-0798", "CVE-2016-3570", "CVE-2016-3432", "CVE-2016-3515", "CVE-2016-2108", "CVE-2016-5447", "CVE-2016-3474", "CVE-2016-3528", "CVE-2016-5440", "CVE-2016-3580", "CVE-2014-3571", "CVE-2016-5450", "CVE-2016-3496", "CVE-2016-3555", "CVE-2016-3596", "CVE-2016-1938", "CVE-2016-5468", "CVE-2016-3481", "CVE-2016-3563", "CVE-2016-0799", "CVE-2016-3539", "CVE-2016-3507", "CVE-2016-3584", "CVE-2016-3519", "CVE-2016-5460", "CVE-2016-3472", "CVE-2016-3583", "CVE-2016-5471", "CVE-2016-3511", "CVE-2016-3479", "CVE-2016-3499", "CVE-2013-2064", "CVE-2014-0224", "CVE-2016-5467", "CVE-2016-0635", "CVE-2016-3498", "CVE-2016-2105", "CVE-2016-3560", "CVE-2016-3514", "CVE-2016-5453", "CVE-2016-3440", "CVE-2016-4052", "CVE-2015-3194", "CVE-2016-2107", "CVE-2016-3607", "CVE-2016-3556", "CVE-2016-3512", "CVE-2016-3532", "CVE-2015-7501", "CVE-2016-1550", "CVE-2016-3475", "CVE-2015-3253", "CVE-2016-0701", "CVE-2016-3476", "CVE-2016-3588", "CVE-2016-3424", "CVE-2016-3471", "CVE-2016-1182", "CVE-2015-7704", "CVE-2016-3585", "CVE-2016-5444", "CVE-2016-3538", "CVE-2014-8275", "CVE-2016-3452", "CVE-2015-7979", "CVE-2016-3549", "CVE-2016-0797", "CVE-2015-7182", "CVE-2016-0702", "CVE-2015-2808", "CVE-2014-3570", "CVE-2016-5451", "CVE-2015-7575", "CVE-2016-3577", "CVE-2016-3591", "CVE-2016-3567", "CVE-2016-3467", "CVE-2016-3537", "CVE-2016-3593", "CVE-2016-3606", "CVE-2016-5456", "CVE-2016-3468", "CVE-2016-3540", "CVE-2016-2109", "CVE-2016-3559", "CVE-2016-5476", "CVE-2015-2721", "CVE-2016-3530", "CVE-2015-3193", "CVE-2014-9708", "CVE-2016-5473", "CVE-2016-3568", "CVE-2016-3453", "CVE-2016-5464", "CVE-2016-5462", "CVE-2016-3490", "CVE-2016-3572", "CVE-2016-3513", "CVE-2012-3137", "CVE-2015-0228", "CVE-2016-3509", "CVE-2015-3237", "CVE-2016-3565", "CVE-2016-5437", "CVE-2016-3534", "CVE-2016-3503", "CVE-2015-7183", "CVE-2016-3550", "CVE-2015-1788", "CVE-2016-3525", "CVE-2016-3587", "CVE-2016-3561", "CVE-2016-3504", "CVE-2016-3581", "CVE-2016-3501", "CVE-2016-5457", "CVE-2016-1547", "CVE-2015-3183", "CVE-2016-3614", "CVE-2012-3410", "CVE-2016-5461", "CVE-2016-5439", "CVE-2015-0204", "CVE-2016-5449", "CVE-2016-3578", "CVE-2016-3527", "CVE-2016-0800", "CVE-2016-3489", "CVE-2016-3483", "CVE-2016-3433", "CVE-2016-5459", "CVE-2016-1181", "CVE-2016-3450", "CVE-2016-3524", "CVE-2016-5442", "CVE-2016-3564", "CVE-2016-5470", "CVE-2013-2566", "CVE-2016-2176", "CVE-2015-1790", "CVE-2016-3542", "CVE-2016-1978", "CVE-2016-3575", "CVE-2016-3531", "CVE-2016-3502", "CVE-2016-3459", "CVE-2016-5446", "CVE-2016-3480", "CVE-2016-3533", "CVE-2016-5469", "CVE-2016-3526", "CVE-2016-5448", "CVE-2016-3486", "CVE-2016-3448", "CVE-2016-5474", "CVE-2016-5436", "CVE-2016-3523", "CVE-2016-5441", "CVE-2016-5475", "CVE-2016-3576", "CVE-2016-3595", "CVE-2016-3610", "CVE-2016-3458", "CVE-2016-3484", "CVE-2016-3586", "CVE-2016-3520", "CVE-2016-3451", "CVE-2016-3582", "CVE-2015-5300", "CVE-2016-3497", "CVE-2016-3589", "CVE-2016-3517", "CVE-2016-3608", "CVE-2016-3510", "CVE-2016-3493", "CVE-2016-3536", "CVE-2016-3548", "CVE-2016-3506", "CVE-2016-3571", "CVE-2016-3487", "CVE-2016-3546", "CVE-2016-5463", "CVE-2016-3541", "CVE-2016-3081", "CVE-2016-3521", "CVE-2015-0205", "CVE-2016-4053", "CVE-2016-3579", "CVE-2016-5443", "CVE-2016-3557", "CVE-2016-3558", "CVE-2016-2106", "CVE-2016-3594", "CVE-2016-3478", "CVE-2016-3522", "CVE-2016-3535", "CVE-2016-3543", "CVE-2016-3612", "CVE-2014-3569", "CVE-2016-3470", "CVE-2016-3518", "CVE-2016-3516", "CVE-2015-1791", "CVE-2016-3569", "CVE-2016-3482", "CVE-2016-3590", "CVE-2015-8104", "CVE-2016-3609", "CVE-2016-3566", "CVE-2016-3469"], "modified": "2016-10-18T00:00:00", "id": "ORACLE:CPUJUL2016-2881720", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:51", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2310031.1>).\n\nPlease note that on September 22, 2017, Oracle released [Security Alert for CVE-2017-9805](<http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html>). Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "edition": 3, "reporter": "Oracle", "published": "2017-10-17T00:00:00", "title": "Oracle Critical Patch Update - October 2017", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebLogic Server", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Retail Convenience and Fuel POS Software", "version": "2.1.132", "operator": "le"}, {"name": "Oracle Communications User Data Repository", "version": "10.x", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "11.1.1.9.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.7.7", "operator": "le"}, {"name": "Oracle Hospitality Hotel Mobile", "version": "1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.6", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.3.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.3", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.3.4.3247", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.0", "operator": "le"}, {"name": "RDBMS Security", "version": "11.2.0.4", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.5.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u161", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "4.x", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.2.1.2.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.6.0", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "17.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Security Service", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.7", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.5", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.9", "operator": "le"}, {"name": "Oracle Integrated Lights Out Manager (ILOM)", "version": "3.2.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise Fleet Management", "version": "9.0.2.0", "operator": "le"}, {"name": "Siebel UI Framework", "version": "16.0", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "15.0.1", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.6", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "le"}, {"name": "Siebel Apps - Field Service", "version": "17.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.3", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.5.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.2.4.x.x", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Enterprise Manager Ops Center", "version": "12.3.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u161", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.11", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.8", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Communications EAGLE LNP Application Processor", "version": "10.x", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.2.9", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.6.0", "operator": "le"}, {"name": "Primavera Unifier", "version": "16.x", "operator": "le"}, {"name": "XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Virtual Directory", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.37", "operator": "le"}, {"name": "Oracle Communications Services Gatekeeper", "version": "6.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.7.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.0.x.x", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Java SE", "version": "6u161", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.3", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "16.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "5.3", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.4.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Tekelec HLR Router", "version": "4.x", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "14.0", "operator": "le"}, {"name": "Oracle Hospitality Suite8", "version": "8.10.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u144", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.2", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.7", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.19", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.2.0", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.7", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.2.0.1", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u151", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.1.x.x", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.36", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.1", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.4", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u151", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u151", "operator": "le"}, {"name": "Oracle API Gateway", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.7", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.2.1.2.0", "operator": "le"}, {"name": "SPARC M7, T7, S7 based Servers", "version": "9.7.6.b", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.7", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.30", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.2.x", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.7", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Hospitality Cruise Materials Management", "version": "7.30.564.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.3", "operator": "le"}, {"name": "WLM (Apache Tomcat)", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.18", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "15.0.1", "operator": "le"}, {"name": "Oracle Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "9", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.3", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers", "version": "2340", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.1", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.0.4", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "9", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.35", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Hyperion Financial Reporting", "version": "11.1.2", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.0.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.4", "operator": "le"}, {"name": "XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.2", "operator": "le"}, {"name": "Siebel CRM Desktop", "version": "16.0", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.57", "operator": "le"}, {"name": "Siebel CRM Desktop", "version": "17.0", "operator": "le"}, {"name": "Primavera Unifier", "version": "9.14", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u161", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.4", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.1.00", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "11.1.1.7.0", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.3", "operator": "le"}, {"name": "Java Advanced Management Console", "version": "2.7", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.9.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "11.5", "operator": "le"}, {"name": "Oracle Communications Services Gatekeeper", "version": "5.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.5.11", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.2", "operator": "le"}, {"name": "Oracle Server X7-2/2L, X7-8", "version": "1.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.4.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.3", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.5", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Primavera Unifier", "version": "15.x", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.1", "operator": "le"}, {"name": "RDBMS Security", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u144", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.0", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "8.5.1", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "9", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1123", "operator": "le"}, {"name": "Sun ZFS Storage Appliance Kit (AK)", "version": "2013", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.5", "operator": "le"}, {"name": "Java SE", "version": "8u144", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.1", "operator": "le"}, {"name": "Primavera Unifier", "version": "9.13", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.2", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.2", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.5.x.x", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.5", "operator": "le"}, {"name": "Spatial (Apache Groovy)", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "13.4", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "RDBMS Security", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Virtual Directory", "version": "11.1.1.7.0", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.1.6", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "16.0.1", "operator": "le"}, {"name": "Oracle Communications Unified Session Manager", "version": "7.x", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.3", "operator": "le"}, {"name": "Java SE", "version": "9", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.4", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "7.x", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.0.11", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Java VM", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "17.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Primavera Unifier", "version": "10.x", "operator": "le"}, {"name": "Management Pack for Oracle GoldenGate", "version": "11.2.1.0.12", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.1.3", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.4", "operator": "le"}, {"name": "Java SE", "version": "7u151", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "12.x", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.4", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.2.00", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.0.6", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.6", "operator": "le"}, {"name": "MySQL Connectors", "version": "6.9.9", "operator": "le"}, {"name": "Java SE, JRockit", "version": "8u144", "operator": "le"}, {"name": "Oracle Communications Billing and Revenue Management", "version": "7.5", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "8.x", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Apps - Field Service", "version": "16.0", "operator": "le"}, {"name": "Oracle Engineering Data Management", "version": "6.2.2.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PRTL Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.6", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.4.2.4181", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Identity Manager Connector", "version": "9.1.1.5.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Hospitality Suite8", "version": "8.10.1", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.3.0", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.2.8.2223", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.3", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.6", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "9.0.0", "operator": "le"}, {"name": "Oracle Hospitality Cruise Shipboard Property Management System", "version": "8.0.2.0", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.2", "operator": "le"}], "cvelist": ["CVE-2017-10324", "CVE-2017-10167", "CVE-2017-10014", "CVE-2017-10417", "CVE-2017-10037", "CVE-2015-5351", "CVE-2015-5254", "CVE-2017-10270", "CVE-2017-10387", "CVE-2017-10360", "CVE-2015-1792", "CVE-2017-10321", "CVE-2017-10060", "CVE-2015-0235", "CVE-2015-1793", "CVE-2017-10404", "CVE-2017-10311", "CVE-2017-10421", "CVE-2017-10353", "CVE-2017-10260", "CVE-2017-10203", "CVE-2016-9840", "CVE-2017-10419", "CVE-2017-10424", "CVE-2017-10399", "CVE-2017-10293", "CVE-2015-3197", "CVE-2017-10299", "CVE-2017-10158", "CVE-2017-10379", "CVE-2017-10414", "CVE-2017-10054", "CVE-2017-10357", "CVE-2017-10197", "CVE-2017-10361", "CVE-2017-10356", "CVE-2016-5019", "CVE-2017-10322", "CVE-2017-10323", "CVE-2017-10066", "CVE-2014-3572", "CVE-2017-5709", "CVE-2016-6306", "CVE-2017-5462", "CVE-2014-3613", "CVE-2017-7502", "CVE-2015-7181", "CVE-2015-0206", "CVE-2017-10369", "CVE-2015-1789", "CVE-2016-2183", "CVE-2017-10349", "CVE-2017-10284", "CVE-2017-10294", "CVE-2017-10325", "CVE-2017-10416", "CVE-2015-0286", "CVE-2017-10341", "CVE-2017-10420", "CVE-2017-10418", "CVE-2017-10367", "CVE-2016-2178", "CVE-2017-10164", "CVE-2013-1903", "CVE-2017-10400", "CVE-2017-3167", "CVE-2017-10281", "CVE-2015-3195", "CVE-2017-10351", "CVE-2017-10359", "CVE-2017-10381", "CVE-2017-10406", "CVE-2017-10348", "CVE-2017-10372", "CVE-2014-8714", "CVE-2017-10034", "CVE-2017-10328", "CVE-2016-0714", "CVE-2016-3092", "CVE-2014-3571", "CVE-2017-10397", "CVE-2017-10388", "CVE-2017-10330", "CVE-2017-10407", "CVE-2014-0076", "CVE-2017-10033", "CVE-2017-10342", "CVE-2017-10415", "CVE-2017-10408", "CVE-2016-6302", "CVE-2017-10344", "CVE-2017-10354", "CVE-2017-10338", "CVE-2017-10296", "CVE-2017-10292", "CVE-2017-10402", "CVE-2014-3587", "CVE-2017-10306", "CVE-2017-10365", "CVE-2017-10337", "CVE-2017-10426", "CVE-2016-8745", "CVE-2016-2177", "CVE-2017-10380", "CVE-2015-0288", "CVE-2017-10332", "CVE-2017-10378", "CVE-2014-0224", "CVE-2017-10026", "CVE-2017-10276", "CVE-2016-0635", "CVE-2017-10409", "CVE-2017-10166", "CVE-2017-10427", "CVE-2017-10422", "CVE-2015-3194", "CVE-2017-10355", "CVE-2017-10163", "CVE-2016-6515", "CVE-2017-10326", "CVE-2015-0285", "CVE-2016-2107", "CVE-2017-10153", "CVE-2016-7055", "CVE-2017-10382", "CVE-2015-7501", "CVE-2017-10364", "CVE-2017-10319", "CVE-2015-3253", "CVE-2017-3731", "CVE-2016-6307", "CVE-2016-0701", "CVE-2017-10398", "CVE-2017-10051", "CVE-2017-10308", "CVE-2017-10320", "CVE-2017-10287", "CVE-2017-10412", "CVE-2017-10334", "CVE-2016-9842", "CVE-2016-2834", "CVE-2017-10283", "CVE-2015-0899", "CVE-2017-10152", "CVE-2017-10264", "CVE-2016-1182", "CVE-2014-0065", "CVE-2016-0763", "CVE-2015-0207", "CVE-2017-10155", "CVE-2017-10271", "CVE-2017-10286", "CVE-2017-10304", "CVE-2016-6308", "CVE-2016-6816", "CVE-2016-7433", "CVE-2014-4342", "CVE-2017-5662", "CVE-2014-8275", "CVE-2016-2180", "CVE-2017-10411", "CVE-2017-10313", "CVE-2017-10194", "CVE-2015-7182", "CVE-2015-0208", "CVE-2015-2808", "CVE-2017-10347", "CVE-2014-3570", "CVE-2017-10227", "CVE-2015-7575", "CVE-2017-10370", "CVE-2017-10261", "CVE-2017-10425", "CVE-2017-5706", "CVE-2015-3196", "CVE-2017-10428", "CVE-2014-3470", "CVE-2017-10362", "CVE-2017-10309", "CVE-2016-2181", "CVE-2017-10391", "CVE-2016-6304", "CVE-2015-3193", "CVE-2017-10263", "CVE-2014-3538", "CVE-2017-10403", "CVE-2014-0114", "CVE-2017-10159", "CVE-2017-10410", "CVE-2017-3732", "CVE-2017-10383", "CVE-2017-10339", "CVE-2017-10340", "CVE-2014-0050", "CVE-2017-10327", "CVE-2017-10396", "CVE-2017-10300", "CVE-2014-3707", "CVE-2014-0064", "CVE-2017-10343", "CVE-2015-0293", "CVE-2017-10165", "CVE-2017-10316", "CVE-2017-3445", "CVE-2017-10373", "CVE-2016-1979", "CVE-2017-10363", "CVE-2017-10352", "CVE-2016-2381", "CVE-2014-8713", "CVE-2017-10279", "CVE-2015-7183", "CVE-2013-0255", "CVE-2017-10314", "CVE-2017-9805", "CVE-2015-1788", "CVE-2017-10055", "CVE-2014-0195", "CVE-2014-0198", "CVE-2017-10161", "CVE-2016-7052", "CVE-2015-0209", "CVE-2014-0063", "CVE-2016-1950", "CVE-2017-10333", "CVE-2015-0204", "CVE-2016-0706", "CVE-2013-0248", "CVE-2017-3733", "CVE-2017-5664", "CVE-2017-10312", "CVE-2017-10366", "CVE-2014-0060", "CVE-2017-10318", "CVE-2016-7429", "CVE-2016-1181", "CVE-2017-10268", "CVE-2017-10285", "CVE-2017-3446", "CVE-2017-10392", "CVE-2017-10413", "CVE-2016-9843", "CVE-2013-2566", "CVE-2016-8735", "CVE-2015-1790", "CVE-2017-10394", "CVE-2017-9788", "CVE-2017-10350", "CVE-2016-6305", "CVE-2016-6303", "CVE-2017-10275", "CVE-2017-10274", "CVE-2017-10190", "CVE-2013-1902", "CVE-2017-10315", "CVE-2015-0291", "CVE-2017-10317", "CVE-2017-10389", "CVE-2017-10385", "CVE-2017-10154", "CVE-2017-10395", "CVE-2017-3588", "CVE-2014-4345", "CVE-2017-10162", "CVE-2003-1418", "CVE-2016-2182", "CVE-2017-10358", "CVE-2017-10310", "CVE-2017-10077", "CVE-2017-10346", "CVE-2014-0062", "CVE-2017-10401", "CVE-2015-0287", "CVE-2017-7668", "CVE-2017-3444", "CVE-2017-10295", "CVE-2017-10393", "CVE-2017-10423", "CVE-2017-10280", "CVE-2017-5461", "CVE-2016-10165", "CVE-2014-0066", "CVE-2015-0289", "CVE-2016-9841", "CVE-2015-7940", "CVE-2017-3169", "CVE-2017-10065", "CVE-2016-5285", "CVE-2017-10368", "CVE-2015-0292", "CVE-2017-10375", "CVE-2017-10384", "CVE-2014-0107", "CVE-2017-10050", "CVE-2016-3506", "CVE-2017-10345", "CVE-2017-10303", "CVE-2017-10302", "CVE-2017-10259", "CVE-2017-10265", "CVE-2015-0290", "CVE-2017-3730", "CVE-2015-0205", "CVE-2017-10329", "CVE-2016-2179", "CVE-2017-10405", "CVE-2017-10277", "CVE-2016-6814", "CVE-2013-1900", "CVE-2015-1787", "CVE-2015-4852", "CVE-2014-0061", "CVE-2014-3569", "CVE-2017-10386", "CVE-2015-1791", "CVE-2017-10336", "CVE-2017-10335", "CVE-2016-7431", "CVE-2017-7679", "CVE-2014-0221", "CVE-2017-10331", "CVE-2017-10099"], "modified": "2018-02-15T00:00:00", "id": "ORACLE:CPUOCT2017-3236626", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
