http://bugzilla.opensuse.org/show_bug.cgi?id=937891 Bug ID: 937891 Summary: VUL-0: libressl: multiple vulnerabilities Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: jengelh@inai.de Reporter: astieger@suse.com QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: Security Response Team Blocker: --- 13.2 ships LibreSSL 2.0.5. As a fork of OpenSSL it will some most of it's issues, while avoiding others. The following, however, are known to be fixed in a subsequent releases of LibreSSL 2.1.0: * Fixes for many memory leaks and overflows in error handlers 2.1.1: * Address POODLE attack by disabling SSLv3 by default 2.1.1: * Added reworked GOST cipher suite support 2.1.3: * Fixed various memory leaks in DTLS, including fixes for CVE-2015-0206. 2.1.4: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.4-relnotes.txt - Fix a minor information leak that was introduced in t1_lib.c CVE-2015-0205 - DH client certificates accepted without verification CVE-2014-3570 - Bignum squaring may produce incorrect results CVE-2014-8275 - Certificate fingerprints can be modified CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 2.1.6: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.6-relnotes.txt CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref CVE-2015-0289 - PKCS7 NULL pointer dereferences 2.2.0: CVE-2015-1788 - Malformed ECParameters causes infinite loop CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time CVE-2015-1792 - CMS verify infinite loop with unknown hash function -- You are receiving this mail because: You are on the CC list for the bug.