Bug ID | 937891 |
---|---|
Summary | VUL-0: libressl: multiple vulnerabilities |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | 13.2 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Major |
Priority | P5 - None |
Component | Security |
Assignee | jengelh@inai.de |
Reporter | astieger@suse.com |
QA Contact | qa-bugs@suse.de |
CC | security-team@suse.de |
Found By | Security Response Team |
Blocker | --- |
13.2 ships LibreSSL 2.0.5. As a fork of OpenSSL it will some most of it's issues, while avoiding others. The following, however, are known to be fixed in a subsequent releases of LibreSSL 2.1.0: * Fixes for many memory leaks and overflows in error handlers 2.1.1: * Address POODLE attack by disabling SSLv3 by default 2.1.1: * Added reworked GOST cipher suite support 2.1.3: * Fixed various memory leaks in DTLS, including fixes for CVE-2015-0206. 2.1.4: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.4-relnotes.txt - Fix a minor information leak that was introduced in t1_lib.c CVE-2015-0205 - DH client certificates accepted without verification CVE-2014-3570 - Bignum squaring may produce incorrect results CVE-2014-8275 - Certificate fingerprints can be modified CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 2.1.6: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.6-relnotes.txt CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref CVE-2015-0289 - PKCS7 NULL pointer dereferences 2.2.0: CVE-2015-1788 - Malformed ECParameters causes infinite loop CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time CVE-2015-1792 - CMS verify infinite loop with unknown hash function