Bug 1103598 (CVE-2014-0195)
| Summary: | CVE-2014-0195 openssl: Buffer overflow via DTLS invalid fragment | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | aavati, abaron, acathrow, aneelica, aortega, apevec, ayoung, bazulay, cdewolf, cfergeau, chrisw, cpelland, dallan, darran.lofthouse, dblechte, fdeutsch, fnasser, fweimer, gkotton, hkario, huwang, idith, iheim, jawilson, jkurik, jrusnack, lgao, lhh, markmc, myarboro, nlevinki, pgier, pmatouse, pslavice, rbryant, rfortier, rsvoboda, sardella, sclewis, security-response-team, ssaha, tmraz, vbellur, vtunka, weli, yeylon | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openssl 1.0.1h, openssl 1.0.0m, openssl 0.9.8za | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-11 05:30:37 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1096233, 1096234, 1103604, 1103605, 1103632, 1103633, 1103741, 1104349, 1104350, 1127888, 1127889 | ||||||
| Bug Blocks: | 1103601 | ||||||
| Attachments: |
|
||||||
|
Description
Huzaifa S. Sidhpurwala
2014-06-02 07:40:03 UTC
Created attachment 901375 [details]
Upstream patch
This issue was introduced upstream in version 0.9.8o via the following commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c713a4c https://rt.openssl.org/Ticket/Display.html?id=2230&user=guest&pass=guest Affected code does not exist in the openssl packages as shipped with Red Hat Enterprise Linux 5, which are based on upstream version 0.9.8e. Fixed upstream in OpenSSL 1.0.1h, 1.0.0m and 0.9.8za. External References: https://www.openssl.org/news/secadv_20140605.txt Upstream commits: OpenSSL-1.0.1: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1632ef744872edc2aa2a53d487d3e79c965a4ad3 OpenSSL-0.9.8: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=82ba68c42d6a9cf245afa489471005b2a0377c10 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0625 https://rhn.redhat.com/errata/RHSA-2014-0625.html Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1096233] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1096234] This issue has been addressed in following products: Red Hat Storage 2.1 Via RHSA-2014:0628 https://rhn.redhat.com/errata/RHSA-2014-0628.html Statement: This issue does not affect the version of openssl as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of openssl098e as shipped with Red Hat Enterprise Linux 6. openssl-1.0.1e-38.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. openssl-1.0.1e-38.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0679 https://rhn.redhat.com/errata/RHSA-2014-0679.html Created mingw32-openssl tracking bugs for this issue: Affects: epel-5 [bug 1127888] |