Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 583540 - <www-apps/kibana-bin-{4.1.7,4.5.1}: Bundles vulnerable openssl (CVE-2016-2107)
Summary: <www-apps/kibana-bin-{4.1.7,4.5.1}: Bundles vulnerable openssl (CVE-2016-2107)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.elastic.co/blog/kibana-4-...
Whiteboard: ~4 [cve noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-20 05:36 UTC by Tomáš Mózes
Modified: 2016-07-03 12:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-03 12:54:58 UTC 
CVE-2016-2107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2107):
  The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h
  does not consider memory allocation during a certain padding check, which
  allows remote attackers to obtain sensitive cleartext information via a
  padding-oracle attack against an AES CBC session, NOTE: this vulnerability
  exists because of an incorrect fix for CVE-2013-0169.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-07-03 12:58:24 UTC 
Packages were bumped and vulnerable removed:

commit 5e3ccc903f68180c057cfc10ba8b7ace13f083d6
Author: Tomas Mozes <hydrapolic@gmail.com>
Date:   Thu May 19 15:42:23 2016 +0200

    www-apps/kibana-bin: bump to 4.1.7/4.5.1, drop old
    
    Package-Manager: portage-2.3.0_rc1
    Closes: https://github.com/gentoo/gentoo/pull/1491
    
    Signed-off-by: Ian Delaney <idella4@gentoo.org>