As per Upstream advisory: A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on 7th February 2016 by Adam Langley (Google/BoringSSL) using libFuzzer. The fix was developed by Dr Stephen Henson of OpenSSL.
Created attachment 1129420 [details] Upstream patch
Public via: Upstream patch: http://git.openssl.org/?p=openssl.git;a=commitdiff;h=ab4a81f69ec88d06c9d8de15326b9296d7f498ed
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1312862]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1312860]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1312861]
Acknowledgments: Name: the OpenSSL project Upstream: Adam Langley (Google/BoringSSL)
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0301 https://rhn.redhat.com/errata/RHSA-2016-0301.html
openssl-1.0.2g-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 RHEV-H and Agents for RHEL-7 Via RHSA-2016:0379 https://rhn.redhat.com/errata/RHSA-2016-0379.html
openssl-1.0.1k-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
openssl101e-1.0.1e-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:2568 https://access.redhat.com/errata/RHSA-2018:2568
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:2575 https://access.redhat.com/errata/RHSA-2018:2575
This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2018:2713 https://access.redhat.com/errata/RHSA-2018:2713