FS#44227 - [openssl][CVE-2015-0288][CVE-2015-0285][CVE-2015-0209][CVE-2015-0291] openssl vulnerability

Attached to Project: Arch Linux
Opened by Christian Rebischke (Shibumi) - Tuesday, 17 March 2015, 18:16 GMT
Last edited by Felix Yan (felixonmars) - Thursday, 19 March 2015, 16:08 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Summary
=======

The current openssl version 1.0.2-1 is vulnerable against CVE-2015-0288.


References
==========

https://security-tracker.debian.org/tracker/CVE-2015-0288
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=28a00bcd8e318da18031b2ac8778c64147cd54f9
This task depends upon

Closed by  Felix Yan (felixonmars)
Thursday, 19 March 2015, 16:08 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.0.2.a-1 landed in [core] and [multilib]
Comment by Levente Polyak (anthraxx) - Tuesday, 17 March 2015, 18:35 GMT
CVE-2015-0285 (handshake with unseeded PRNG)
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2b31fcc0b5e7329e13806822a5709dbd51c5c8a4

CVE-2015-0209 (Fix a failure to NULL a pointer freed on error)
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ba5d0113e8bcb26857ae58a11b219aeb7bc2408a
Comment by Christian Rebischke (Shibumi) - Tuesday, 17 March 2015, 18:38 GMT
Dear moderator, please update the Bugticket title and add the 2 other CVEs that anthraxx has posted, thx!
Comment by Christian Rebischke (Shibumi) - Tuesday, 17 March 2015, 20:22 GMT
Release that fixes this issues will be at 19.3.2015 according to this mail https://mta.openssl.org/pipermail/openssl-users/2015-March/000778.html
Comment by Christian Rebischke (Shibumi) - Wednesday, 18 March 2015, 08:43 GMT
Hello,
There is a 4. CVE. CVE-2015-0291. It's a Dos Vulnerability and there is a stable exploit for it. The exploit will be published after openssl release.

So please could a moderator add CVE-2015-0291 to the topic? thx!

best regards

Christian Rebischke <shibumi>
Comment by Remi Gacogne (rgacogne) - Thursday, 19 March 2015, 14:10 GMT
OpenSSL 1.0.2a has been released (ftp://ftp.openssl.org/source/) and fix several issues. The advisory can be found in cache since the openssl site does not handle the load at the moment:

https://webcache.googleusercontent.com/search?q=cache:F1Ci71PuzOAJ:https://www.openssl.org/news/secadv_20150319.txt+&cd=2&hl=en&ct=clnk&gl=fr

Loading...