Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#44227 - [openssl][CVE-2015-0288][CVE-2015-0285][CVE-2015-0209][CVE-2015-0291] openssl vulnerability

Attached to Project: Arch Linux
Opened by Christian Rebischke (Shibumi) - Tuesday, 17 March 2015, 18:16 GMT
Last edited by Felix Yan (felixonmars) - Thursday, 19 March 2015, 16:08 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No



The current openssl version 1.0.2-1 is vulnerable against CVE-2015-0288.

This task depends upon

Closed by  Felix Yan (felixonmars)
Thursday, 19 March 2015, 16:08 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.0.2.a-1 landed in [core] and [multilib]
Comment by Levente Polyak (anthraxx) - Tuesday, 17 March 2015, 18:35 GMT Comment by Christian Rebischke (Shibumi) - Tuesday, 17 March 2015, 18:38 GMT
Dear moderator, please update the Bugticket title and add the 2 other CVEs that anthraxx has posted, thx!
Comment by Christian Rebischke (Shibumi) - Tuesday, 17 March 2015, 20:22 GMT
Release that fixes this issues will be at 19.3.2015 according to this mail
Comment by Christian Rebischke (Shibumi) - Wednesday, 18 March 2015, 08:43 GMT
There is a 4. CVE. CVE-2015-0291. It's a Dos Vulnerability and there is a stable exploit for it. The exploit will be published after openssl release.

So please could a moderator add CVE-2015-0291 to the topic? thx!

best regards

Christian Rebischke <shibumi>
Comment by Remi Gacogne (rgacogne) - Thursday, 19 March 2015, 14:10 GMT
OpenSSL 1.0.2a has been released ( and fix several issues. The advisory can be found in cache since the openssl site does not handle the load at the moment: