Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-177-1 openssl

Debian Security Advisory

DLA-177-1 openssl -- LTS security update

Date Reported:

20 Mar 2015

Affected Packages:

openssl

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293.

More information:

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

• CVE-2015-0209

  It was discovered that a malformed EC private key might result in memory corruption.

• CVE-2015-0286

  Stephen Henson discovered that the ASN1_TYPE_cmp() function can be crashed, resulting in denial of service.

• CVE-2015-0287

  Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

• CVE-2015-0288

  It was discovered that missing input sanitising in the X509_to_X509_REQ() function might result in denial of service.

• CVE-2015-0289

  Michal Zalewski discovered a NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service.

• CVE-2015-0292

  It was discovered that missing input sanitising in base64 decoding might result in memory corruption.

• CVE-2015-0293

  A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message.

For Debian 6 Squeeze, these issues have been fixed in openssl version 0.9.8o-4squeeze20