Bug 1331402 (CVE-2016-2108)
Summary: | CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | anemec, bbaranow, bmaxwell, cdewolf, chazlett, csutherl, daga, dahjelle.redhat.com, dandread, darran.lofthouse, devin, dknox, dosoudil, enagai, erik-fedora, fnasser, freiheit, gzaronik, hkario, huwang, jaeshin, jason.greene, jawilson, jclere, jdoyle, ktietz, lgao, marcandre.lureau, mbabacek, mdshaikh, mparkin, mturk, myarboro, pdwyer, pgier, psakar, pslavice, redhat-bugzilla, rex.na, rjones, rnetuka, rsvoboda, ryan.parman, sander, sardella, security-response-team, slawomir, tmraz, twalsh, vtunka, weli, yozone | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
See Also: | https://issues.redhat.com/browse/JBCS-82 | ||||||
Whiteboard: | |||||||
Fixed In Version: | openssl 1.0.1o, openssl 1.0.2c | Doc Type: | Bug Fix | ||||
Doc Text: |
A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-02-22 12:28:42 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1331569, 1331570, 1331865, 1331866, 1332398, 1332399, 1332588, 1332589, 1332590, 1332591, 1335811, 1337157, 1337158, 1366994 | ||||||
Bug Blocks: | 1330106, 1395463 | ||||||
Attachments: |
|
Description
Tomas Hoger
2016-04-28 13:14:05 UTC
Acknowledgments: Name: the OpenSSL project Upstream: Huzaifa Sidhpurwala (Red Hat), Hanno Böck, David Benjamin (Google) Created attachment 1151879 [details]
OpenSSL upstream fix for the second issue
External References: https://openssl.org/news/secadv/20160503.txt Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1332590] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1332588] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1332589] Affects: epel-7 [bug 1332591] The additional upstream commit preventing creation of structures for negative zero: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=f5da52e308a6aeea6d5f3df98c4da295d7e9cc27 openssl-1.0.2h-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Given that I am not familiar with every library/program that links to openssl on my server, do I need to consider a reboot after upgrading openssl (because an old version might be kept in memory) or is this taken care of by the operating system for me. If so can anyone point to some documentation that explains how this works please? Bugzilla is not a support tool. Please contact Red Hat Support with questions as the one above. The following page lists multiple way to reach our Support: https://access.redhat.com/support/ openssl-1.0.2h-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html openssl-1.0.1k-15.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2016:1137 https://access.redhat.com/errata/RHSA-2016:1137 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.10 Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193 |