build openssl upstream update for number of CVEs from 2016-09-22
Bug #1626676 reported by
V. Bakayev
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
TLDR:
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
full report can be found here:
https:/
To post a comment you must log in.
most impacting issues listed in that report:
OpenSSL Security Advisory [22 Sep 2016] ======= ======= ======= ======= =====
=======
OCSP Status Request extension unbounded memory growth (CVE-2016-6304) ======= ======= ======= ======= ======= ======= ======= ======= ======
=======
Severity: High
A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. This will eventually lead to a Denial Of Service attack through memory
exhaustion. Servers with a default configuration are vulnerable even if they do
not support OCSP. Builds using the "no-ocsp" build time option are not affected.
Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
configuration, instead only if an application explicitly enables OCSP stapling
support.
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
SSL_peek() hang on empty record (CVE-2016-6305) ======= ======= ======= ======= ======= =====
=======
Severity: Moderate
OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
empty record. This could be exploited by a malicious peer in a Denial Of Service
attack.
OpenSSL 1.1.0 users should upgrade to 1.1.0a
This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The
fix was developed by Matt Caswell of the OpenSSL development team.