FEDORA-EPEL-2017-90b2cbfdaf created by robert 2 years ago for Fedora EPEL 5
stable

OpenSSL

Security Fixes

  • An integer underflow leading to an out of bounds read flaw was found in OpenSSL. A remote attacker could possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL if it used the RC4-MD5 cipher suite. (CVE-2017-3731)
  • A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610)
  • The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys. (CVE-2016-7056)
This update has been submitted for testing by robert. 2 years ago
User Icon lupinix commented & provided feedback 2 years ago
karma

Looks fine

This update has been pushed to testing. 2 years ago
This update has been submitted for stable by bodhi. 2 years ago
This update has been pushed to stable. 2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
1
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#1384743 CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
0
0
BZ#1388727 CVE-2016-8610 openssl101e: SSL/TLS libraries: Malformed plain-text ALERT packets could cause remote DoS [epel-5]
0
0
BZ#1412120 CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery
0
0
BZ#1412123 CVE-2016-7056 openssl101e: openssl: ECSDA P-256 timing attack key recovery [epel-5]
0
0
BZ#1412127 CVE-2016-7056 openssl101e: openssl: ECSDA P-256 timing attack key recovery [epel-5]
0
0
BZ#1416852 CVE-2017-3731 openssl: Truncated packet could crash via OOB read
0
0
BZ#1416866 CVE-2017-3731 openssl101e: openssl: Truncated packet could crash via OOB read [epel-5]
0
0

Automated Test Results