You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa openssl

Sigurnosni nedostaci programskog paketa openssl

——————————————————————————–
Fedora Update Notification
FEDORA-2014-9301
2014-08-09 06:52:46
——————————————————————————–

Name : openssl
Product : Fedora 19
Version : 1.0.1e
Release : 39.fc19
URL : http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

——————————————————————————–
Update Information:

Multiple moderate issues fixed.
——————————————————————————–
ChangeLog:

* Fri Aug 8 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
– fix CVE-2014-3505 – doublefree in DTLS packet processing
– fix CVE-2014-3506 – avoid memory exhaustion in DTLS
– fix CVE-2014-3507 – avoid memory leak in DTLS
– fix CVE-2014-3508 – fix OID handling to avoid information leak
– fix CVE-2014-3509 – fix race condition when parsing server hello
– fix CVE-2014-3510 – fix DoS in anonymous (EC)DH handling in DTLS
– fix CVE-2014-3511 – disallow protocol downgrade via fragmentation
* Thu Jun 5 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
– fix CVE-2010-5298 – possible use of memory after free
– fix CVE-2014-0195 – buffer overflow via invalid DTLS fragment
– fix CVE-2014-0198 – possible NULL pointer dereference
– fix CVE-2014-0221 – DoS from invalid DTLS handshake packet
– fix CVE-2014-0224 – SSL/TLS MITM vulnerability
– fix CVE-2014-3470 – client-side DoS when using anonymous ECDH
* Mon Apr 7 2014 Dennis Gilmore <dennis@ausil.us> – 1.0.1e-37.1
– pull in upstream patch for CVE-2014-0160
– removed CHANGES file portion from patch for expediency
* Tue Jan 7 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-37
– fix CVE-2013-4353 – Invalid TLS handshake crash
– fix CVE-2013-6450 – possible MiTM attack on DTLS1
* Fri Dec 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-36
– fix CVE-2013-6449 – crash when version in SSL structure is incorrect
– more FIPS validation requirement changes
– do not apply the no-md5-verify patch in released Fedora branches
* Wed Dec 18 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-35
– drop weak ciphers from the default TLS ciphersuite list
– add back some symbols that were dropped with update to 1.0.1 branch
– more FIPS validation requirement changes
* Tue Nov 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34
– fix locking and reseeding problems with FIPS drbg
* Fri Nov 15 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-33
– additional changes required for FIPS validation
* Wed Nov 13 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-32
– disable verification of certificate, CRL, and OCSP signatures
using MD5 if OPENSSL_ENABLE_MD5_VERIFY environment variable
is not set
* Fri Nov 8 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-31
– add back support for secp521r1 EC curve
– add aarch64 to Configure (#969692)
* Tue Oct 29 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30
– fix misdetection of RDRAND support on Cyrix CPUS (from upstream) (#1022346)
* Thu Oct 24 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-29
– do not advertise ECC curves we do not support (#1022493)
* Wed Oct 16 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-28
– only ECC NIST Suite B curves support
– drop -fips subpackage
* Mon Oct 14 2013 Tom Callaway <spot@fedoraproject.org> – 1.0.1e-27
– resolve bugzilla 319901 (phew! only took 6 years & 9 days)
* Fri Sep 27 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-26
– make DTLS1 work in FIPS mode
– avoid RSA and DSA 512 bits and Whirlpool in ‘openssl speed’ in FIPS mode
* Mon Sep 23 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-25
– avoid dlopening libssl.so from libcrypto (#1010357)
* Fri Sep 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-24
– fix small memory leak in FIPS aes selftest
* Thu Sep 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-23
– fix segfault in openssl speed hmac in the FIPS mode
* Thu Sep 12 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-22
– document the nextprotoneg option in manual pages
original patch by Hubert Kario
* Tue Sep 10 2013 Kyle McMartin <kyle@redhat.com> 1.0.1e-21
– [arm] use elf auxv to figure out armcap.c instead of playing silly
games with SIGILL handlers. (#1006474)
* Wed Sep 4 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-20
– try to avoid some races when updating the -fips subpackage
* Mon Sep 2 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-19
– use version-release in .hmac suffix to avoid overwrite
during upgrade
* Thu Aug 29 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-18
– allow deinitialization of the FIPS mode
* Thu Aug 29 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-17
– always perform the FIPS selftests in library constructor
if FIPS module is installed
* Tue Aug 27 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-16
– add -fips subpackage that contains the FIPS module files
* Fri Aug 16 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-15
– fix use of rdrand if available
– more commits cherry picked from upstream
– documentation fixes
* Sat Aug 3 2013 Petr Pisar <ppisar@redhat.com> – 1:1.0.1e-14
– Perl 5.18 rebuild
* Fri Jul 26 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-13
– additional manual page fix
– use symbol versioning also for the textual version
* Thu Jul 25 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-12
– additional manual page fixes
* Fri Jul 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-11
– use _prefix macro
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> – 1:1.0.1e-10
– Perl 5.18 rebuild
* Thu Jul 11 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-9
– add openssl.cnf.5 manpage symlink to config.5
* Wed Jul 10 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-8
– add relro linking flag
* Wed Jul 10 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-7
– add support for the -trusted_first option for certificate chain verification
* Fri May 3 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-6
– fix build of manual pages with current pod2man (#959439)
* Sun Apr 21 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.1e-5
– Enable ARM optimised build
——————————————————————————–
References:

[ 1 ] Bug #1127490 – CVE-2014-3508 openssl: information leak in pretty printing functions
https://bugzilla.redhat.com/show_bug.cgi?id=1127490
[ 2 ] Bug #1127498 – CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext
https://bugzilla.redhat.com/show_bug.cgi?id=1127498
[ 3 ] Bug #1127499 – CVE-2014-3505 openssl: DTLS packet processing double free
https://bugzilla.redhat.com/show_bug.cgi?id=1127499
[ 4 ] Bug #1127500 – CVE-2014-3506 openssl: DTLS memory exhaustion
https://bugzilla.redhat.com/show_bug.cgi?id=1127500
[ 5 ] Bug #1127502 – CVE-2014-3507 openssl: DTLS memory leak from zero-length fragments
https://bugzilla.redhat.com/show_bug.cgi?id=1127502
[ 6 ] Bug #1127503 – CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1127503
[ 7 ] Bug #1127504 – CVE-2014-3511 openssl: TLS protocol downgrade attack
https://bugzilla.redhat.com/show_bug.cgi?id=1127504
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update openssl’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-9308
2014-08-09 06:53:01
——————————————————————————–

Name : openssl
Product : Fedora 20
Version : 1.0.1e
Release : 39.fc20
URL : http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

——————————————————————————–
Update Information:

Multiple moderate issues fixed.
——————————————————————————–
ChangeLog:

* Fri Aug 8 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
– fix CVE-2014-3505 – doublefree in DTLS packet processing
– fix CVE-2014-3506 – avoid memory exhaustion in DTLS
– fix CVE-2014-3507 – avoid memory leak in DTLS
– fix CVE-2014-3508 – fix OID handling to avoid information leak
– fix CVE-2014-3509 – fix race condition when parsing server hello
– fix CVE-2014-3510 – fix DoS in anonymous (EC)DH handling in DTLS
– fix CVE-2014-3511 – disallow protocol downgrade via fragmentation
* Thu Jun 5 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
– fix CVE-2010-5298 – possible use of memory after free
– fix CVE-2014-0195 – buffer overflow via invalid DTLS fragment
– fix CVE-2014-0198 – possible NULL pointer dereference
– fix CVE-2014-0221 – DoS from invalid DTLS handshake packet
– fix CVE-2014-0224 – SSL/TLS MITM vulnerability
– fix CVE-2014-3470 – client-side DoS when using anonymous ECDH
* Mon Apr 7 2014 Dennis Gilmore <dennis@ausil.us> – 1.0.1e-37.1
– pull in upstream patch for CVE-2014-0160
– removed CHANGES file portion from patch for expediency
* Tue Jan 7 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-37
– fix CVE-2013-4353 – Invalid TLS handshake crash
– fix CVE-2013-6450 – possible MiTM attack on DTLS1
* Fri Dec 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-36
– fix CVE-2013-6449 – crash when version in SSL structure is incorrect
– more FIPS validation requirement changes
– do not apply the no-md5-verify patch in released Fedora branches
* Wed Dec 18 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-35
– drop weak ciphers from the default TLS ciphersuite list
– add back some symbols that were dropped with update to 1.0.1 branch
– more FIPS validation requirement changes
* Tue Nov 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34
– fix locking and reseeding problems with FIPS drbg
* Fri Nov 15 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-33
– additional changes required for FIPS validation
* Wed Nov 13 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-32
– disable verification of certificate, CRL, and OCSP signatures
using MD5 if OPENSSL_ENABLE_MD5_VERIFY environment variable
is not set
* Fri Nov 8 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-31
– add back support for secp521r1 EC curve
– add aarch64 to Configure (#969692)
——————————————————————————–
References:

[ 1 ] Bug #1127490 – CVE-2014-3508 openssl: information leak in pretty printing functions
https://bugzilla.redhat.com/show_bug.cgi?id=1127490
[ 2 ] Bug #1127498 – CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext
https://bugzilla.redhat.com/show_bug.cgi?id=1127498
[ 3 ] Bug #1127499 – CVE-2014-3505 openssl: DTLS packet processing double free
https://bugzilla.redhat.com/show_bug.cgi?id=1127499
[ 4 ] Bug #1127500 – CVE-2014-3506 openssl: DTLS memory exhaustion
https://bugzilla.redhat.com/show_bug.cgi?id=1127500
[ 5 ] Bug #1127502 – CVE-2014-3507 openssl: DTLS memory leak from zero-length fragments
https://bugzilla.redhat.com/show_bug.cgi?id=1127502
[ 6 ] Bug #1127503 – CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1127503
[ 7 ] Bug #1127504 – CVE-2014-3511 openssl: TLS protocol downgrade attack
https://bugzilla.redhat.com/show_bug.cgi?id=1127504
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update openssl’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Top
More in Preporuke
Sigurnosni propust programskog paketa ipython

Otkriven je sigurnosni propust programskog paketa ipython za Mandriva Business Server 1.0. Ustanovljeno je da je poslužitelj web sučelja IPython's...

Close