Bug 1331441 (CVE-2016-2105)
Summary: | CVE-2016-2105 openssl: EVP_EncodeUpdate overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | akjain, bbaranow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, erik-fedora, fnasser, gzaronik, hkario, huwang, huzaifas, jaeshin, jason.greene, jawilson, jclere, jdoyle, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, ryan.parman, sardella, security-response-team, slawomir, tmraz, twalsh, vtunka, weli, yozone | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
See Also: | https://issues.redhat.com/browse/JBCS-87 | ||||||
Whiteboard: | |||||||
Fixed In Version: | openssl 1.0.1t, openssl 1.0.2h | Doc Type: | Bug Fix | ||||
Doc Text: |
An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-02-22 12:28:19 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1331569, 1331570, 1331865, 1331866, 1332588, 1332589, 1332590, 1332591, 1332975, 1337149, 1337150, 1337151, 1366994 | ||||||
Bug Blocks: | 1330106, 1395463 | ||||||
Attachments: |
|
Description
Tomas Hoger
2016-04-28 14:04:59 UTC
Acknowledgments: Name: the OpenSSL project Upstream: Guido Vranken Created attachment 1151923 [details]
OpenSSL upstream fix
External References: https://openssl.org/news/secadv/20160503.txt Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1332590] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1332588] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1332589] Affects: epel-7 [bug 1332591] Upstream commit: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5b814481f3573fa9677f3a31ee51322e2a22ee6a openssl-1.0.2h-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. openssl-1.0.2h-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html openssl-1.0.1k-15.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat JBoss Web Server 2.1.1 Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Via RHSA-2016:1649 https://rhn.redhat.com/errata/RHSA-2016-1649.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:1648 https://rhn.redhat.com/errata/RHSA-2016-1648.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.10 Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html |