Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 519264 (CVE-2014-3505) - <dev-libs/openssl-{0.9.8z_p2,1.0.1i}: Multiple vulnerabilities (CVE-2014-{3505,3506,3507,3509,3510,3511,3512,5139})
Summary: <dev-libs/openssl-{0.9.8z_p2,1.0.1i}: Multiple vulnerabilities (CVE-2014-{350...
Status: RESOLVED FIXED
Alias: CVE-2014-3505
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openssl.org/news/secadv_2...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-06 22:33 UTC by Hanno Böck
Modified: 2014-12-26 01:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-08-06 22:33:37 UTC
Openssl has new release which fix a whole bunch of crashes, memory vulnerabilities, DoS-attacks and TLS protocol issues. Details:
https://www.openssl.org/news/secadv_20140806.txt

Please bump to 1.0.1i (and for the older versions 1.0.0n and 0.9.8zb).
Comment 1 SpanKY gentoo-dev 2014-08-07 02:03:51 UTC
1.0.1i/0.9.8zb in the tree
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2014-08-09 12:36:05 UTC
Thanks,

Arches please stabilize 
=dev-libs/openssl-1.0.1i
Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

=dev-libs/openssl-0.9.8z_p2
Targets: alpha amd64 arm ia64 ppc ppc64 sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2014-08-09 13:07:21 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-08-09 13:07:48 UTC
x86 stable
Comment 5 Jeroen Roovers gentoo-dev 2014-08-09 15:21:42 UTC
(In reply to Kristian Fiskerstrand from comment #2)
> =dev-libs/openssl-0.9.8z_p2
> Targets: alpha amd64 arm ia64 ppc ppc64 sparc x86

Please review that list. I'm quite sure it shouldn't even be ~arch in many cases. For those cases the 0.9.8 branch should probably be reverted to ~arch so as to cause less confusion next time.
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2014-08-09 15:54:01 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Kristian Fiskerstrand from comment #2)
> > =dev-libs/openssl-0.9.8z_p2
> > Targets: alpha amd64 arm ia64 ppc ppc64 sparc x86
> 
> Please review that list. I'm quite sure it shouldn't even be ~arch in many
> cases. For those cases the 0.9.8 branch should probably be reverted to ~arch
> so as to cause less confusion next time.

Indeed, I should have noted that if some arches doesn't want to bump 0.9.8 branch they are free to reduce it to ~arch so long as there isn't a reverse dependency on it e.g. from a binary package. On the same note, it should be considered whether it makes sense to keep the 1.0.0 branch in stable.
Comment 7 Jeroen Roovers gentoo-dev 2014-08-09 16:03:49 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2014-08-13 15:22:54 UTC
arm stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-08-17 01:22:52 UTC
CVE-2014-5139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5139):
  The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before
  1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer
  dereference and client application crash) via a ServerHello message that
  includes an SRP ciphersuite without the required negotiation of that
  ciphersuite with the client.

CVE-2014-3512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3512):
  Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation
  in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of
  service (application crash) or possibly have unspecified other impact via an
  invalid SRP (1) g, (2) A, or (3) B parameter.

CVE-2014-3511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3511):
  The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before
  1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by
  triggering ClientHello message fragmentation in communication between a
  client and server that both support later TLS versions, related to a
  "protocol downgrade" issue.

CVE-2014-3510 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3510):
  The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8
  before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote
  DTLS servers to cause a denial of service (NULL pointer dereference and
  client application crash) via a crafted handshake message in conjunction
  with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.

CVE-2014-3509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3509):
  Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in
  OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and
  session resumption are used, allows remote SSL servers to cause a denial of
  service (memory overwrite and client application crash) or possibly have
  unspecified other impact by sending Elliptic Curve (EC) Supported Point
  Formats Extension data.

CVE-2014-3507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3507):
  Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before
  0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote
  attackers to cause a denial of service (memory consumption) via zero-length
  DTLS fragments that trigger improper handling of the return value of a
  certain insert function.

CVE-2014-3506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3506):
  d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0
  before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a
  denial of service (memory consumption) via crafted DTLS handshake messages
  that trigger memory allocations corresponding to large length values.

CVE-2014-3505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3505):
  Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL
  0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows
  remote attackers to cause a denial of service (application crash) via
  crafted DTLS packets that trigger an error condition.
Comment 10 Agostino Sarubbo gentoo-dev 2014-08-19 08:49:10 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-21 09:46:28 UTC
ppc stable
Comment 12 Kristian Fiskerstrand gentoo-dev Security 2014-09-04 10:28:17 UTC
@alpha/sparc: May we have some action on this bug please? It is blocking cleanup and GLSA release.
Comment 13 Tobias Klausmann gentoo-dev 2014-09-05 10:55:02 UTC
Stable for alpha.
Comment 14 Agostino Sarubbo gentoo-dev 2014-09-19 10:35:26 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2014-10-04 21:29:07 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.


Added to an existing GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 01:14:05 UTC
This issue was resolved and addressed in
 GLSA 201412-39 at http://security.gentoo.org/glsa/glsa-201412-39.xml
by GLSA coordinator Sean Amoss (ackle).