Bug 1127490 (CVE-2014-3508)
| Summary: | CVE-2014-3508 openssl: information leak in pretty printing functions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrew Griffiths <agriffit> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aavati, abaron, alonbl, aneelica, aortega, apevec, ayoung, bazulay, bmcclain, bressers, btotty, cdewolf, cfergeau, chazlett, chrisw, dallan, dandread, darran.lofthouse, dblechte, dgregor, djorm, dknox, ecohen, erik-fedora, fdeutsch, fnasser, gkotton, huwang, idith, iheim, jason.greene, jawilson, jclere, jdoyle, jgreguske, jrusnack, ktietz, lfarkas, lgao, lhh, lpeer, marcus, markmc, myarboro, nlevinki, pgier, pslavice, pstehlik, rbalakri, rbryant, rfortier, rhs-bugs, rh-spice-bugs, rjones, rsvoboda, sclewis, shaines, smohan, ssaha, tmraz, vbellur, vtunka, weli, ycui, yeylon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssl 1.0.1i, openssl 1.0.0n, openssl 0.9.8zb | Doc Type: | Bug Fix |
| Doc Text: |
It was discovered that the OBJ_obj2txt() function could fail to properly NUL-terminate its output. This could possibly cause an application using OpenSSL functions to format fields of X.509 certificates to disclose portions of its memory.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-24 17:43:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1127695, 1127696, 1127697, 1127698, 1127704, 1127705, 1127709, 1127831, 1127832, 1127885, 1128013, 1128014, 1128015, 1128016, 1128405, 1128406, 1128961, 1181611 | ||
| Bug Blocks: | 1127468, 1127506, 1138223, 1142543 | ||
|
Description
Andrew Griffiths
2014-08-07 01:14:41 UTC
External References: https://www.openssl.org/news/secadv_20140806.txt Upstream commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0042fb5fd1c9d257d713b15a1f45da05cf5c1c87 Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1127704] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1127705] Created mingw-openssl tracking bugs for this issue: Affects: epel-7 [bug 1127709] Created mingw32-openssl tracking bugs for this issue: Affects: epel-5 [bug 1127885] openssl-1.0.1e-39.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. openssl-1.0.1e-39.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. IssueDescription: It was discovered that the OBJ_obj2txt() function could fail to properly NUL-terminate its output. This could possibly cause an application using OpenSSL functions to format fields of X.509 certificates to disclose portions of its memory. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1053 https://rhn.redhat.com/errata/RHSA-2014-1053.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1052 https://rhn.redhat.com/errata/RHSA-2014-1052.html This issue has been addressed in following products: Red Hat Storage 2.1 Via RHSA-2014:1054 https://rhn.redhat.com/errata/RHSA-2014-1054.html This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2014:1256 https://rhn.redhat.com/errata/RHSA-2014-1256.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.0 Via RHSA-2014:1297 https://rhn.redhat.com/errata/RHSA-2014-1297.html |