Errata ALT-PU-2016-1438-1: Information
Fixes
Published: May 4, 2016
BDU:2020-02960
Уязвимость функции EVP_EncodeUpdate (crypto/evp/encode.c) библиотеки OpenSSL, связанная с ошибкой при обработке числа, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: May 4, 2016
BDU:2020-02961
Уязвимость функции EVP_EncodeUpdate (crypto/evp/evp_enc.c) библиотеки OpenSSL, связанная с ошибкой при обработке числа, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: May 4, 2016
BDU:2020-02962
Уязвимость функции проверки заполнения реализации AES-NI библиотеки OpenSSL, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным
Severity: MEDIUM (5.9) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Links:
Published: May 4, 2016
BDU:2020-02963
Уязвимость функции asn1_d2i_read_bio (crypto/asn1/a_d2i_fp.c) библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: May 4, 2016
BDU:2020-02964
Уязвимость функции X509_NAME_oneline (crypto/x509/x509_obj.c) библиотеки OpenSSL, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным или вызвать отказ в обслуживании
Severity: HIGH (8.2) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Links:
Published: May 5, 2016
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2016-2105
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
- https://www.openssl.org/news/secadv/20160503.txt
- https://kc.mcafee.com/corporate/index?page=content&id=SB10160
- openSUSE-SU-2016:1566
- RHSA-2016:0722
- RHSA-2016:0996
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- APPLE-SA-2016-07-18-1
- https://support.apple.com/HT206903
- 91787
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- RHSA-2016:1650
- RHSA-2016:1648
- RHSA-2016:1649
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- 89757
- openSUSE-SU-2016:1240
- openSUSE-SU-2016:1238
- FEDORA-2016-1e39d934ed
- openSUSE-SU-2016:1242
- FreeBSD-SA-16:17
- SUSE-SU-2016:1231
- FEDORA-2016-05c567df1a
- USN-2959-1
- SUSE-SU-2016:1290
- openSUSE-SU-2016:1239
- openSUSE-SU-2016:1241
- SUSE-SU-2016:1206
- openSUSE-SU-2016:1237
- SSA:2016-124-01
- openSUSE-SU-2016:1243
- SUSE-SU-2016:1360
- 1035721
- DSA-3566
- openSUSE-SU-2016:1273
- 20160504 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016
- SUSE-SU-2016:1233
- SUSE-SU-2016:1228
- FEDORA-2016-1411324654
- SUSE-SU-2016:1267
- https://bto.bluecoat.com/security-advisory/sa123
- http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.html
- GLSA-201612-16
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://www.tenable.com/security/tns-2016-18
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_us
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://security.netapp.com/advisory/ntap-20160504-0001/
- https://source.android.com/security/bulletin/pixel/2017-11-01
- RHSA-2016:2957
- RHSA-2016:2073
- RHSA-2016:2056
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=5b814481f3573fa9677f3a31ee51322e2a22ee6a
Published: May 5, 2016
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2016-2106
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
- https://www.openssl.org/news/secadv/20160503.txt
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40202
- https://kc.mcafee.com/corporate/index?page=content&id=SB10160
- RHSA-2016:0722
- RHSA-2016:0996
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- APPLE-SA-2016-07-18-1
- https://support.apple.com/HT206903
- 91787
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- RHSA-2016:1650
- RHSA-2016:1648
- RHSA-2016:1649
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- 89744
- openSUSE-SU-2016:1240
- openSUSE-SU-2016:1238
- FEDORA-2016-1e39d934ed
- openSUSE-SU-2016:1242
- FreeBSD-SA-16:17
- SUSE-SU-2016:1231
- FEDORA-2016-05c567df1a
- USN-2959-1
- SUSE-SU-2016:1290
- openSUSE-SU-2016:1239
- openSUSE-SU-2016:1241
- SUSE-SU-2016:1206
- openSUSE-SU-2016:1237
- SSA:2016-124-01
- openSUSE-SU-2016:1243
- SUSE-SU-2016:1360
- 1035721
- DSA-3566
- openSUSE-SU-2016:1273
- 20160504 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016
- SUSE-SU-2016:1233
- SUSE-SU-2016:1228
- FEDORA-2016-1411324654
- SUSE-SU-2016:1267
- https://bto.bluecoat.com/security-advisory/sa123
- http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.html
- GLSA-201612-16
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://www.tenable.com/security/tns-2016-18
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_us
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://security.netapp.com/advisory/ntap-20160504-0001/
- https://source.android.com/security/bulletin/pixel/2017-11-01
- RHSA-2016:2957
- RHSA-2016:2073
- RHSA-2016:2056
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=3f3582139fbb259a1c3cbb0a25236500a409bf26
Published: May 5, 2016
Modified: Feb. 16, 2024
Modified: Feb. 16, 2024
CVE-2016-2107
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Links:
- https://www.openssl.org/news/secadv/20160503.txt
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40202
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164862
- https://kc.mcafee.com/corporate/index?page=content&id=SB10160
- openSUSE-SU-2016:1566
- http://source.android.com/security/bulletin/2016-07-01.html
- RHSA-2016:0722
- RHSA-2016:0996
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- APPLE-SA-2016-07-18-1
- https://support.apple.com/HT206903
- 91787
- https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- 89760
- openSUSE-SU-2016:1240
- openSUSE-SU-2016:1238
- FEDORA-2016-1e39d934ed
- http://web-in-security.blogspot.ca/2016/05/curious-padding-oracle-in-openssl-cve.html
- FreeBSD-SA-16:17
- 39768
- FEDORA-2016-05c567df1a
- USN-2959-1
- SUSE-SU-2016:1206
- openSUSE-SU-2016:1237
- SSA:2016-124-01
- openSUSE-SU-2016:1243
- 1035721
- DSA-3566
- 20160504 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016
- SUSE-SU-2016:1233
- SUSE-SU-2016:1228
- FEDORA-2016-1411324654
- https://bto.bluecoat.com/security-advisory/sa123
- http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.html
- http://support.citrix.com/article/CTX212736
- GLSA-201612-16
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://www.tenable.com/security/tns-2016-18
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05386804
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03726en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_us
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- https://security.netapp.com/advisory/ntap-20160504-0001/
- RHSA-2016:2957
- RHSA-2016:2073
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=68595c0c2886e7942a14f98c17a55a88afb6c292
Published: May 5, 2016
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2016-2109
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
- https://www.openssl.org/news/secadv/20160503.txt
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40202
- https://kc.mcafee.com/corporate/index?page=content&id=SB10160
- RHSA-2016:0722
- RHSA-2016:0996
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- APPLE-SA-2016-07-18-1
- https://support.apple.com/HT206903
- 91787
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- 87940
- openSUSE-SU-2016:1240
- openSUSE-SU-2016:1238
- openSUSE-SU-2016:1242
- FreeBSD-SA-16:17
- SUSE-SU-2016:1231
- USN-2959-1
- SUSE-SU-2016:1290
- openSUSE-SU-2016:1239
- openSUSE-SU-2016:1241
- RHSA-2016:2073
- RHSA-2016:2056
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- RHSA-2016:2957
- https://security.netapp.com/advisory/ntap-20160504-0001/
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_us
- https://source.android.com/security/bulletin/2017-07-01
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_us
- https://www.tenable.com/security/tns-2016-18
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
- GLSA-201612-16
- http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.html
- https://bto.bluecoat.com/security-advisory/sa123
- SUSE-SU-2016:1267
- SUSE-SU-2016:1228
- SUSE-SU-2016:1233
- 20160504 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016
- openSUSE-SU-2016:1273
- DSA-3566
- 1035721
- SUSE-SU-2016:1360
- openSUSE-SU-2016:1243
- SSA:2016-124-01
- openSUSE-SU-2016:1237
- SUSE-SU-2016:1206
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=c62981390d6cf9e3d612c489b8b77c2913b25807
Published: May 5, 2016
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2016-2176
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Severity: HIGH (8.2) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Links:
- https://www.openssl.org/news/secadv/20160503.txt
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40202
- https://kc.mcafee.com/corporate/index?page=content&id=SB10160
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- APPLE-SA-2016-07-18-1
- https://support.apple.com/HT206903
- 91787
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- 89746
- SSA:2016-124-01
- 1035721
- 20160504 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016
- https://bto.bluecoat.com/security-advisory/sa123
- http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.html
- GLSA-201612-16
- https://www.tenable.com/security/tns-2016-18
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_us
- https://security.netapp.com/advisory/ntap-20160504-0001/
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=2919516136a4227d9e6d8f2fe66ef976aaf8c561