[linux-sparc-announce] LFSSA-2015-0268 Linux for SPARC 1.0 openssl security update
Announcements for Linux for SPARC
linux-sparc-announce at oss.oracle.com
Thu Dec 17 16:55:58 PST 2015
Linux for SPARC Security Advisory LFSSA-2015-0268
The following updated rpms for Linux for SPARC 1.0 have been uploaded to
the yum.oracle.com:
sparc64:
openssl-1.0.1e-42.0.1.el6_7.1.sparc64.rpm
openssl-devel-1.0.1e-42.0.1.el6_7.1.sparc64.rpm
openssl-perl-1.0.1e-42.0.1.el6_7.1.sparc64.rpm
openssl-static-1.0.1e-42.0.1.el6_7.1.sparc64.rpm
SRPMS:
http://yum.oracle.com/repo/linux_sparc64/latest/openssl-1.0.1e-42.0.1.el6_7.1.src.rpm
Description of changes:
[1.0.1e-42.0.1.1]
- re-incorporate the sparc64 patches
(philip.copeland at oracle.com/john.haxby at oracle.com)
- disable the no-asm flag for sparc64
(philip.copeland at oracle.com/john.haxby at oracle.com)
[1.0.1e-42.1]
- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
- fix CVE-2015-3196 - race condition when handling PSK identity hint
[1.0.1e-42]
- fix regression caused by mistake in fix for CVE-2015-1791
[1.0.1e-41]
- improved fix for CVE-2015-1791
- add missing parts of CVE-2015-0209 fix for corectness although
unexploitable
[1.0.1e-40]
- fix CVE-2014-8176 - invalid free in DTLS buffering code
- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time
- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent
- fix CVE-2015-1791 - race condition handling NewSessionTicket
- fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function
[1.0.1e-39]
- fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on
read in multithreaded applications
[1.0.1e-38]
- fix CVE-2015-4000 - prevent the logjam attack on client - restrict
the DH key size to at least 768 bits (limit will be increased in future)
[1.0.1e-37]
- drop the AES-GCM restriction of 2^32 operations because the IV is
always 96 bits (32 bit fixed field + 64 bit invocation field)
[1.0.1e-36]
- update fix for CVE-2015-0287 to what was released upstream
[1.0.1e-35]
- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference
- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
- fix CVE-2015-0292 - integer underflow in base64 decoder
- fix CVE-2015-0293 - triggerable assert in SSLv2 server
[1.0.1e-34]
- copy digest algorithm when handling SNI context switch
- improve documentation of ciphersuites - patch by Hubert Kario
- add support for setting Kerberos service and keytab in
s_server and s_client
[1.0.1e-33]
- fix CVE-2014-3570 - incorrect computation in BN_sqr()
- fix CVE-2014-3571 - possible crash in dtls1_get_record()
- fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS
state
- fix CVE-2014-8275 - various certificate fingerprint issues
- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
ciphersuites and on server
- fix CVE-2015-0205 - do not allow unauthenticated client DH certificate
- fix CVE-2015-0206 - possible memory leak when buffering DTLS records
[1.0.1e-32]
- use FIPS approved method for computation of d in RSA
[1.0.1e-31]
- fix CVE-2014-3567 - memory leak when handling session tickets
- fix CVE-2014-3513 - memory leak in srtp support
- add support for fallback SCSV to partially mitigate CVE-2014-3566
(padding attack on SSL3)
More information about the linux-sparc-announce
mailing list