All errata/t7/ALT-PU-2016-1060-1
ALT-PU-2016-1060-1

Package update openssl10 in branch t7

Version1.0.1r-alt0.M70P.1
Task#156756
Published2016-01-28
Max severityHIGH
Severity:

Closed issues (12)

BDU:2015-11035
MEDIUM4.3

Уязвимость функции BN_GF2m_mod_inv библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2015-08-18Modified: 2024-11-28
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P
References
BDU:2016-00666
LOW2.6

Уязвимость библиотеки OpenSSL, позволяющая нарушителю получить закрытый ключ

Published: 2016-03-23Modified: 2021-03-23
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N
References
BDU:2016-00896
MEDIUM4.3

Уязвимость библиотеки OpenSSL, позволяющая нарушителю взломать криптографический механизм защиты

Published: 2016-04-14Modified: 2021-03-23
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
References
BDU:2016-01653
MEDIUM5.0

Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2016-07-19Modified: 2021-03-23
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2016-01654
MEDIUM5.0

Уязвимость реализации ASN1_TFLG_COMBINE библиотеки OpenSSL, позволяющая нарушителю получить защищаемую информацию из памяти процесса

Published: 2016-07-19Modified: 2024-11-28
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2016-01655
MEDIUM4.3

Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2016-07-19Modified: 2021-03-23
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P
References
CVE-2015-1788
MEDIUM4.3

The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.

Published: 2015-06-12Modified: 2025-04-12
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P
References
CVE-2015-3194
HIGH7.5

crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.

Published: 2015-12-06Modified: 2025-04-12
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2015-3195
MEDIUM5.3

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

Published: 2015-12-06Modified: 2025-04-12
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2015-3196
MEDIUM4.3

ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message.

Published: 2015-12-06Modified: 2025-04-12
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P
References
CVE-2015-3197
MEDIUM5.9

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

Published: 2016-02-15Modified: 2025-04-12
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.9
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2016-0701
LOW3.7

The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.

Published: 2016-02-15Modified: 2025-04-12
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS 3.xLOW 3.7
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
References