ALT Linux Team

Branch c7 update on 2016-05-06

2016-05-06

ALT-BU-2016-2749-1

Branch c7 update bulletin.

ALT-PU-2016-1445-1

Package openssl10 updated to version 1.0.1t-alt0.M70C.1 for branch c7 in task 164273.

Closed vulnerabilities

Published: 2016-05-04

BDU:2020-02960

Уязвимость функции EVP_EncodeUpdate (crypto/evp/encode.c) библиотеки OpenSSL, связанная с ошибкой при обработке числа, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2016-05-04

BDU:2020-02961

Уязвимость функции EVP_EncodeUpdate (crypto/evp/evp_enc.c) библиотеки OpenSSL, связанная с ошибкой при обработке числа, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2016-05-04

BDU:2020-02962

Уязвимость функции проверки заполнения реализации AES-NI библиотеки OpenSSL, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным

Severity: MEDIUM (5.9) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2016-05-04

BDU:2020-02963

Уязвимость функции asn1_d2i_read_bio (crypto/asn1/a_d2i_fp.c) библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2016-05-04

BDU:2020-02964

Уязвимость функции X509_NAME_oneline (crypto/x509/x509_obj.c) библиотеки OpenSSL, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным или вызвать отказ в обслуживании

Severity: HIGH (8.2) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
References:
Published: 2016-05-05
Modified: 2024-11-21

CVE-2016-2105

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2016-05-05
Modified: 2024-11-21

CVE-2016-2106

Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2016-05-05
Modified: 2024-11-21

CVE-2016-2107

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2016-05-05
Modified: 2024-11-21

CVE-2016-2109

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2016-05-05
Modified: 2024-11-21

CVE-2016-2176

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

Severity: HIGH (8.2) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top