From URL (summaries): ---- -2015-4000: A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000). [affects; -2015-1788: When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled. -2015-1789: X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition,X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. -2015-1790: The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. -2015-1792: When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code. -2015-1791: If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. -2014-8176: If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages, buffering of such data may cause an invalid free, resulting in a segmentation fault or potentially, memory corruption. [fixed in 'm', so doesn't affect us?] ---- Affected versions: < 1.0.2b, <1.0.1n. 1.0.2a and 1.0.1m are vulnerable, and 1.0.2b and 1.0.2b need to be stabilized. Reproducible: Always
ABI breakage reported here: http://marc.info/?l=openssl-dev&m=143407129721271&w=2
the versions are in the tree, but the ABI issue is there, so need to wait for upstream to sort that before we stabilize
1.0.2c and 1.0.1o are now out and reverse the ABI breakage.
openssl-0.9.8zg wasn't impacted by the ABI issue. upstream has made new releases and those are in the tree. so stabilization targets: openssl-0.9.8zg openssl-1.0.1o
Thanks, Arches, please stabilize: =dev-libs/openssl-0.9.8z_p7 Stable targets: alpha amd64 arm ia64 ppc ppc64 sparc x86 =dev-libs/openssl-1.0.1o Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
(In reply to Kristian Fiskerstrand from comment #5) > Thanks, > > Arches, please stabilize: > =dev-libs/openssl-0.9.8z_p7 > Stable targets: alpha amd64 arm ia64 ppc ppc64 sparc x86 Why do you keep doing that? I'm pretty sure most of those don't need the old branch.
CVE-2015-4000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4000): The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. CVE-2015-1792 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1792): The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function. CVE-2015-1791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1791): Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier. CVE-2015-1790 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1790): The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data. CVE-2015-1789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1789): The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback. CVE-2015-1788 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1788): The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication. CVE-2014-8176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8176): The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
amd64 stable
(In reply to Jeroen Roovers from comment #6) > (In reply to Kristian Fiskerstrand from comment #5) > > Thanks, > > > > Arches, please stabilize: > > =dev-libs/openssl-0.9.8z_p7 > > Stable targets: alpha amd64 arm ia64 ppc ppc64 sparc x86 > > Why do you keep doing that? I'm pretty sure most of those don't need the old > branch. Arches are free to drop stable support for a slot if there is no dependency on it, however a security bug is not the place to do so. As long as the slot has visible stable versions, we'll continue calling stabilization on it.
x86 stable
stable for ppc and ppc64.
arm stable
Stable for HPPA.
sparc stable
ia64 stable
alpha stable
New GLSA request filed
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201506-02 at https://security.gentoo.org/glsa/201506-02 by GLSA coordinator Kristian Fiskerstrand (K_F).
Re-opening for cleanup
Ping on cleanup.
Maintainer(s), Thank you for you for cleanup.