Advisories ยป MGASA-2016-0338

Updated openssl packages fix security vulnerabilities

Publication date: 11 Oct 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-2177 , CVE-2016-2178 , CVE-2016-2179 , CVE-2016-2181 , CVE-2016-2180 , CVE-2016-2182 , CVE-2016-6303 , CVE-2016-2183 , CVE-2016-6302 , CVE-2016-6304 , CVE-2016-6306


Guido Vranken discovered that OpenSSL uses undefined pointer arithmetic

Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing leak in the
DSA code (CVE-2016-2178).

Quan Luo and the OCAP audit team discovered denial of service vulnerabilities
in DTLS (CVE-2016-2179, CVE-2016-2181).

Shi Lei discovered an out-of-bounds memory read in TS_OBJ_print_bio() and an
out-of-bounds write in BN_bn2dec() and MDC2_Update() (CVE-2016-2180,
CVE-2016-2182, CVE-2016-6303).

DES-based cipher suites are demoted from the HIGH group to MEDIUM as a
mitigation for the SWEET32 attack (CVE-2016-2183).

Shi Lei discovered that the use of SHA512 in TLS session tickets is
susceptible to denial of service (CVE-2016-6302).

Shi Lei discovered that excessively large OCSP status request may result in
denial of service via memory exhaustion (CVE-2016-6304).

Shi Lei discovered that missing message length validation when parsing
certificates may potentially result in denial of service (CVE-2016-6306).