OpenSSL to announce new "high" severity vulnerabilities on Thursday (2015-03-19)

telephone

New Member
Link: [openssl-announce] Forthcoming OpenSSL releases

Forthcoming OpenSSL releases

============================

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as "high" severity.

Yours

The OpenSSL Project Team
---

Q. What is classified as a high severity issue?
 

A. "This includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited."
 
Last edited by a moderator:

telephone

New Member
There were two "high" severity issues announced (one was a reclassification).

Link: OpenSSL Security Advisory
 

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
=====================================================
 
Severity: High
 
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.
 
This issue affects OpenSSL version: 1.0.2
 
OpenSSL 1.0.2 users should upgrade to 1.0.2a.
 
This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
of Stanford University. The fix was developed by Stephen Henson and Matt
Caswell of the OpenSSL development team.
 
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
============================================================================
 
Severity: High
 
This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to
"high".
 
This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.
 
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
 
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
 
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.

...
 
Last edited by a moderator:

mojeda

New Member
Debian wheezy updated packages are already out, you can update.
They don't appear to have been updated to the version they suggest.


~# openssl version -v
OpenSSL 1.0.1e 11 Feb 2013

https://packages.debian.org/wheezy/openssl

Edit:

Nevermind it does appear that 1.0.1e in wheezy has been patched.

openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium

- Fix for CVE-2014-3571


- Fix for CVE-2015-0206


- Fix for CVE-2014-3569


- Fix for CVE-2014-3572


- Fix for CVE-2015-0204 <<<<<


- Fix for CVE-2015-0205


- Fix for CVE-2014-8275


- Fix for CVE-2014-3570

 
 
Last edited by a moderator:

eva2000

Active Member
I believe debian like centos doesn't show full openssl version info just 1.0.1e part

Code:
/usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013
Code:
apt-cache policy openssl
openssl:
  Installed: 1.0.1e-2+deb7u15
  Candidate: 1.0.1e-2+deb7u15
  Version table:
 *** 1.0.1e-2+deb7u15 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1e-2+deb7u13 0
        500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages
 

centoslgd

New Member
Debian wheezy updated packages are already out, you can update.
I believe debian like centos doesn't show full openssl version info just 1.0.1e part


/usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

Code:
apt-cache policy openssl
openssl:
  Installed: 1.0.1e-2+deb7u15
  Candidate: 1.0.1e-2+deb7u15
  Version table:
 *** 1.0.1e-2+deb7u15 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1e-2+deb7u13 0
        500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages
Any package updates for CentOS out yet?
 

Licensecart

Active Member
I believe debian like centos doesn't show full openssl version info just 1.0.1e part


/usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

Code:
apt-cache policy openssl
openssl:
  Installed: 1.0.1e-2+deb7u15
  Candidate: 1.0.1e-2+deb7u15
  Version table:
 *** 1.0.1e-2+deb7u15 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1e-2+deb7u13 0
        500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages
I use this:

Code:
[[email protected] ~]# rpm -qa | grep openssl
openssl-devel-1.0.1e-30.el6_6.5.x86_64
openssl-1.0.1e-30.el6_6.5.x86_64
[[email protected] ~]#
 

wlanboy

Content Contributer
Don't forget to compile all those Phyton, Ruby, PHP bindings against openssl lib again.

One advantage if you use packages instead of compiling everything on your own.
 

weloveservers

New Member
Verified Provider
Worrying since more vulnerabilities are being found in 'enterprise' software, again. If heart-bleed weren't bad enough.
 
Top