Lucene search

K
osvGoogleOSV:DSA-3197-2
HistoryMar 19, 2015 - 12:00 a.m.

openssl - regression update

2015-03-1900:00:00
Google
osv.dev
26

EPSS

0.944

Percentile

99.2%

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

  • CVE-2015-0286
    Stephen Henson discovered that the ASN1_TYPE_cmp() function
    can be crashed, resulting in denial of service.
  • CVE-2015-0287
    Emilia Kaesper discovered a memory corruption in ASN.1 parsing.
  • CVE-2015-0289
    Michal Zalewski discovered a NULL pointer dereference in the
    PKCS#7 parsing code, resulting in denial of service.
  • CVE-2015-0292
    It was discovered that missing input sanitising in base64 decoding
    might result in memory corruption.
  • CVE-2015-0209
    It was discovered that a malformed EC private key might result in
    memory corruption.
  • CVE-2015-0288
    It was discovered that missing input sanitising in the
    X509_to_X509_REQ() function might result in denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u15. In this update the export ciphers are removed
from the default cipher list.

We recommend that you upgrade your openssl packages.