ELSA-2015-2616

Опубликовано: 14 дек. 2015

Источник: oracle-oval

Платформа: Oracle Linux 5

Описание

ELSA-2015-2616: openssl security update (MODERATE)

[0.9.8e-37.0.1]

To disable SSLv2 client connections create the file /etc/sysconfig/openssl-ssl-client-kill-sslv2 (John Haxby) [orabug 21673934]
Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893]
fix CVE-2014-3570 - Bignum squaring may produce incorrect results
fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]

[0.9.8e-37]

fix CVE-2015-3195 - X509_ATTRIBUTE memory leak

Обновленные пакеты

Oracle Linux 5

Oracle Linux ia64

openssl

0.9.8e-37.0.1.el5_11

openssl-devel

0.9.8e-37.0.1.el5_11

openssl-perl

0.9.8e-37.0.1.el5_11

Oracle Linux x86_64

openssl

0.9.8e-37.0.1.el5_11

openssl-devel

0.9.8e-37.0.1.el5_11

openssl-perl

0.9.8e-37.0.1.el5_11

Oracle Linux i386

openssl

0.9.8e-37.0.1.el5_11

openssl-devel

0.9.8e-37.0.1.el5_11

openssl-perl

0.9.8e-37.0.1.el5_11

Связанные CVE

CVE-2015-3195

Ссылки на источники

Связанные уязвимости

CVE-2015-3195

CVSS3: 5.3

ubuntu

больше 9 лет назад

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.