All errata/sisyphus/ALT-PU-2016-1184-2
ALT-PU-2016-1184-2

Package update openssl10 in branch sisyphus

Version1.0.2g-alt1
Task#160361
Published2026-02-04
Max severityCRITICAL
Severity:

Closed issues (28)

BDU:2016-00630
LOW1.9

Уязвимость библиотеки OpenSSL, позволяющая нарушителю раскрыть RSA-ключи

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0LOW 1.9
CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:N/A:N
References
BDU:2016-00631
CRITICAL10.0

Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2016-00632
MEDIUM5.0

Уязвимости библиотеки OpenSSL, позволяющие нарушителю вызвать отказ в обслуживании или оказать другое воздействие

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2016-00633
HIGH7.8

Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2016-00634
CRITICAL10.0

Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2016-00635
CRITICAL10.0

Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2016-00661
MEDIUM4.3

Уязвимость библиотеки OpenSSL, позволяющая нарушителю расшифровать передаваемые данные

Published: 2016-03-23Modified: 2021-03-23
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
References
BDU:2016-00666
LOW2.6

Уязвимость библиотеки OpenSSL, позволяющая нарушителю получить закрытый ключ

Published: 2016-03-23Modified: 2021-03-23
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N
References
BDU:2019-01911
HIGH7.5

Уязвимость в файле t1_lib.c библиотеки OpenSSL, позволяющие нарушителю вызвать отказ в обслуживании

Published: 2019-05-31Modified: 2021-03-23
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2020-02909
HIGH7.5

Уязвимость библиотеки OpenSSL, связанная с чтением за границами буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-06-22
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2020-02910
MEDIUM5.9

Уязвимость реализации алгоритма возведения в квадратичную форму Монтгомери библиотеки OpenSSL, связанная с ошибкой переноса разряда на платформе x86_64 , позволяющая нарушителю получить несанкционированный доступ к информации

Published: 2020-06-22
CVSS 3.xMEDIUM 5.9
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:N/A:N
References
BDU:2020-02912
MEDIUM5.3

Уязвимость расширения IPAddressFamily библиотеки OpenSSL, позволяющая нарушителю нарушить целостность данных

Published: 2020-06-22
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
References
BDU:2021-03140
HIGH7.5

Уязвимость алгоритмов шифрования DES и Triple DES, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2021-06-23
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2022-02461
MEDIUM5.9

Уязвимость библиотеки OpenSSL, связанная с чтением за границами буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2022-04-21
CVSS 3.xMEDIUM 5.9
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C
References
CVE-2016-0701
LOW3.7

The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.

Published: 2016-02-15Modified: 2025-04-12
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS 3.xLOW 3.7
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2016-0702
MEDIUM5.1

The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.

Published: 2016-03-03Modified: 2025-04-12
CVSS 2.0LOW 1.9
CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.1
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2016-0705
CRITICAL9.8

Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.

Published: 2016-03-03Modified: 2025-04-12
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2016-0797
HIGH7.5

Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.

Published: 2016-03-03Modified: 2025-04-12
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2016-0798
HIGH7.5

Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.

Published: 2016-03-03Modified: 2025-04-12
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2016-0799
CRITICAL9.8

The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.

Published: 2016-03-03Modified: 2025-04-12
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2016-0800
MEDIUM5.9

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

Published: 2016-03-01Modified: 2025-04-12
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.9
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2016-2183
HIGH7.5

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Published: 2016-09-01Modified: 2025-04-12
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2016-2842
CRITICAL9.8

The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.

Published: 2016-03-03Modified: 2025-04-12
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2016-6304
HIGH7.5

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

Published: 2016-09-26Modified: 2025-04-12
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2016-6306
MEDIUM5.9

The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.

Published: 2016-09-26Modified: 2025-04-12
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS 3.xMEDIUM 5.9
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2017-3731
HIGH7.5

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.

Published: 2017-05-04Modified: 2025-04-20
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2017-3732
MEDIUM5.9

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.

Published: 2017-05-04Modified: 2025-04-20
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.9
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2017-3735
MEDIUM5.3

While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.

Published: 2017-08-28Modified: 2025-04-20
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References