Описание
Security update for openssl1
This update for openssl1 fixes the following issues:
Security issues fixed:
- CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617)
- CVE-2016-2107: Padding oracle in AES-NI CBC MAC check (bsc#977616)
- CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614)
- CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615)
- CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942)
Bugs fixed:
- bsc#971354: libopenssl1_0_0 now Recommends: openssl1 to get correct SSL Root Certificate hashes
- bsc#889013: Rename README.SuSE to the new spelling README.SUSE
- bsc#976943: Fixed a buffer overrun in ASN1_parse.
- bsc#977621: Preserve negotiated digests for SNI (bsc#977621)
Список пакетов
SUSE Linux Enterprise Server 11-SECURITY
Ссылки
- Link for SUSE-SU-2016:1206-1
- E-Mail link for SUSE-SU-2016:1206-1
- SUSE Security Ratings
- SUSE Bug 889013
- SUSE Bug 971354
- SUSE Bug 976942
- SUSE Bug 976943
- SUSE Bug 977614
- SUSE Bug 977615
- SUSE Bug 977616
- SUSE Bug 977617
- SUSE Bug 977621
- SUSE CVE CVE-2016-2105 page
- SUSE CVE CVE-2016-2106 page
- SUSE CVE CVE-2016-2107 page
- SUSE CVE CVE-2016-2108 page
- SUSE CVE CVE-2016-2109 page
Описание
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Затронутые продукты
Ссылки
- CVE-2016-2105
- SUSE Bug 977584
- SUSE Bug 977614
- SUSE Bug 978492
- SUSE Bug 989902
- SUSE Bug 990369
- SUSE Bug 990370
Описание
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
Затронутые продукты
Ссылки
- CVE-2016-2106
- SUSE Bug 977584
- SUSE Bug 977615
- SUSE Bug 978492
- SUSE Bug 979279
- SUSE Bug 990369
Описание
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Затронутые продукты
Ссылки
- CVE-2016-2107
- SUSE Bug 976942
- SUSE Bug 977584
- SUSE Bug 977616
- SUSE Bug 978492
- SUSE Bug 990369
- SUSE Bug 990370
Описание
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Затронутые продукты
Ссылки
- CVE-2016-2108
- SUSE Bug 1001502
- SUSE Bug 1004499
- SUSE Bug 1005878
- SUSE Bug 1148697
- SUSE Bug 977584
- SUSE Bug 977617
- SUSE Bug 978492
- SUSE Bug 989345
- SUSE Bug 996067
Описание
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Затронутые продукты
Ссылки
- CVE-2016-2109
- SUSE Bug 1015243
- SUSE Bug 976942
- SUSE Bug 977584
- SUSE Bug 978492
- SUSE Bug 990369