[Oraclevm-errata] OVMBA-2015-0130 Oracle VM 3.2 openssl bug fix update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Fri Nov 6 12:34:03 PST 2015
Oracle VM Bug Fix Advisory OVMBA-2015-0130
The following updated rpms for Oracle VM 3.2 have been uploaded to the
Unbreakable Linux Network:
x86_64:
openssl-0.9.8e-36.0.2.el5_11.x86_64.rpm
openssl-0.9.8e-36.0.2.el5_11.i686.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/openssl-0.9.8e-36.0.2.el5_11.src.rpm
Description of changes:
[0.9.8e-36.0.2]
- To disable SSLv2 client connections create the file
/etc/sysconfig/openssl-ssl-client-kill-sslv2 (John Haxby) [orabug
21673934]
[0.9.8e-36.0.1]
- Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893]
- fix CVE-2014-3570 - Bignum squaring may produce incorrect results
- fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
- fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
[0.9.8e-36]
- also change the default DH parameters in s_server to 1024 bits
[0.9.8e-35]
- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time
- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent
- fix CVE-2015-4000 - prevent the logjam attack on client - restrict
the DH key size to at least 768 bits (limit will be increased in future)
[0.9.8e-34]
- Rebase ca-bundle.crt to the upstream version 2.4 with legacy
modifications. For compatibility reasons, several CA certificates with
RSA sizes of 1024 bits are still included.
- Add a patch to the source RPM that documents the changes from the
upstream version.
[0.9.8e-33]
- fix CVE-2014-8275 (without introduction of CVE-2015-0286) - various
certificate fingerprint issues
- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
ciphersuites and on server
- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference
- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
- fix CVE-2015-0292 - integer underflow in base64 decoder
- fix CVE-2015-0293 - triggerable assert in SSLv2 server
More information about the Oraclevm-errata
mailing list