Bug ID 937891
Summary VUL-0: libressl: multiple vulnerabilities
Classification openSUSE
Product openSUSE Distribution
Version 13.2
Hardware Other
OS Other
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee jengelh@inai.de
Reporter astieger@suse.com
QA Contact qa-bugs@suse.de
CC security-team@suse.de
Found By Security Response Team
Blocker --- 

13.2 ships LibreSSL 2.0.5. As a fork of OpenSSL it will some most of it's
issues, while avoiding others.

The following, however, are known to be fixed in a subsequent releases of
LibreSSL

2.1.0:
* Fixes for many memory leaks and overflows in error handlers

2.1.1:
* Address POODLE attack by disabling SSLv3 by default

2.1.1:
* Added reworked GOST cipher suite support

2.1.3:
* Fixed various memory leaks in DTLS, including fixes for CVE-2015-0206.

2.1.4:
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.4-relnotes.txt
- Fix a minor information leak that was introduced in t1_lib.c

CVE-2015-0205 - DH client certificates accepted without verification
CVE-2014-3570 - Bignum squaring may produce incorrect results
CVE-2014-8275 - Certificate fingerprints can be modified
CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]

2.1.6:
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.6-relnotes.txt
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences

2.2.0:
CVE-2015-1788 - Malformed ECParameters causes infinite loop
CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1792 - CMS verify infinite loop with unknown hash function

You are receiving this mail because: