[security-announce] openssl: Security Update

Sona Sarmadi sona.sarmadi at enea.com
Tue Dec 15 11:08:51 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: openssl 1.0.1p
Severity: Medium
CVE Names: CVE-2015-3194, CVE-2015-3195
Layer: poky
=========================================================

This security update fixes following vulnerabilities:

CVE-2015-3194: Certificate verify crash with missing PSS parameter
CVE-2015-3195: X509_ATTRIBUTE memory leak

Description
===========
CVE-2015-3194: Certificate verify crash with missing PSS parameter
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before
1.0.2e allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via an RSA PSS ASN.1
signature that lacks a mask generation function parameter.

CVE-2015-3195: X509_ATTRIBUTE memory leak
The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in
OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and
1.0.2 before 1.0.2e mishandles errors caused by malformed
X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive
information from process memory by triggering a decoding failure in a
PKCS#7 or CMS application.

References:
https://openssl.org/news/secadv/20151203.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195

Upstream patches:

CVE-2015-3194:
https://git.openssl.org/?p=openssl.git;a=commit;h=d8541d7e9e63bf5f343af2
4644046c8d96498c17

CVE-2015-3195:
https://git.openssl.org/?p=openssl.git;a=commit;h=b29ffa392e839d05171206
523e84909146f7a77c

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=265f875c5aeb50e2cb4433
15ea3674a93d7024b5


How to get the latest patches
=============================
- - If you have already cloned meta-enea, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- - If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-enea.git;
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy git://git.enea.com/linux/meta-
vt.git


If you have any questions regarding the security patches and security
updates please contact security at enea.com.


Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWb+azAAoJEHc+9u9ocWoULXQP/iUBcNhBLB7lp+bxNZS3vEqP
zVozT6ImMeuQD0KLZim2ExXvkyY4lsrKLjBpRpB8GglJvs+nG+Lsgx7XL2D/MMoX
6Q3l3uC6BrZ1yknyayOyuxBK0DgfpO9Hq1/Y+1Tu5A9587WcHRr/hnfXVlw5uDSa
oQGHY5XxiuXspJJ3ZydbnDPMCl0wWXw/UDj20XI+eZn7obZKHPCORMELH6iI60hh
jVa3xv7Su2heoBV0UuqCf16VyfV8VxgK5AT3EIpsLeCfwI70drnMf5tsq6l+xFgO
Pcez+7+PR4MPlc2G8LzDOFJQ/o5hC8pmWtvq16Bg8+OBcjcy7R2G6OdfRT7xkOeR
EwLPGByUIhK898r4bJPmW3WVeM5bo3h4LnWr6sho+1FCGiUqQcnoDHE+qVLG3ePY
4Bt3hn4VDS7otTBW+0zbvGu/gUFCeDKnS7eyj+zKdexQVLAwN+9hZJofIgk8qR2K
jWbNh2jvG/UYY8NEo4sKEUuJJx3HdqZfPu0MiK94apBlYskgZ3aRezPKD4uOwbRE
y3/JHu2KgLTg2MHw2qI5/Bannc0hp5nz/uXuSY5ErV191FvNeQXlI28Avb/HIb9u
iM/1Jk0lgW3CRo3jz4m4rDddOps2f2HHGXREclDh1vI7xCZnk5tKFdfo0WW193uL
PreIWubCFXtrymlPTJvo
=y0qy
-----END PGP SIGNATURE-----



More information about the security-announce mailing list