Debian: DSA-3197-2: openssl regression update

    Date24 Mar 2015
    CategoryDebian
    50
    Posted ByLinuxSecurity Advisories
    The openssl update issued as DSA 3197-1 caused regressions. This update reverts the defective patch applied in that update causing these problems. Additionally a follow-up fix for CVE-2015-0209 is applied. For reference the original advisory text follows.
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-3197-2                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Salvatore Bonaccorso
    March 24, 2015                         http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : openssl
    CVE ID         : CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 
                     CVE-2015-0289 CVE-2015-0292
    Debian Bug     : 781081
    
    The openssl update issued as DSA 3197-1 caused regressions. This update
    reverts the defective patch applied in that update causing these
    problems. Additionally a follow-up fix for CVE-2015-0209 is applied.
    For reference the original advisory text follows.
    
    Multiple vulnerabilities have been discovered in OpenSSL, a Secure
    Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
    identifies the following issues:
    
    CVE-2015-0286
    
        Stephen Henson discovered that the ASN1_TYPE_cmp() function
        can be crashed, resulting in denial of service.
    
    CVE-2015-0287
    
        Emilia Kaesper discovered a memory corruption in ASN.1 parsing.
    
    CVE-2015-0289
    
        Michal Zalewski discovered a NULL pointer dereference in the
        PKCS#7 parsing code, resulting in denial of service.
    
    CVE-2015-0292
    
        It was discovered that missing input sanitising in base64 decoding
        might result in memory corruption.
    
    CVE-2015-0209
    
        It was discovered that a malformed EC private key might result in
        memory corruption.
    
    CVE-2015-0288
    
        It was discovered that missing input sanitising in the
        X509_to_X509_REQ() function might result in denial of service.
    
    For the stable distribution (wheezy), these problems have been fixed in
    version 1.0.1e-2+deb7u16.
    
    We recommend that you upgrade your openssl packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"15","type":"x","order":"1","pct":53.57,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"9","type":"x","order":"3","pct":32.14,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.