ID

VAR-201506-0496

CVE

CVE-2015-1791

TITLE

OpenSSL ‘ ssl3_get_new_session_ticket 'function competition condition vulnerability

DESCRIPTION

Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier. OpenSSL is prone to a race-condition security vulnerability. The impact of this issue is currently unknown. We will update this BID when more information emerges. The following are vulnerable: OpenSSL 1.0.2 prior to 1.0.2b OpenSSL 1.0.1 prior to 1.0.1n OpenSSL 1.0.0 prior to 1.0.0s OpenSSL 0.9.8 prior to 0.9.8zg. Release Date: 2015-08-05 Last Updated: 2015-08-05 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running OpenSSL with SSL/TLS enabled. This is the TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as Logjam which could be exploited remotely resulting in disclosure of information. References: CVE-2015-4000: DHE man-in-the-middle protection (Logjam). CVE-2015-1788: Malformed ECParameters causes infinite loop. SSRT102180 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2015-4000 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2015-1788 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2015-1789 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2015-1790 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2015-1791 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2015-1792 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2015-1793 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided an updated version of OpenSSL to resolve this vulnerability. A new B.11.31 depot for OpenSSL_A.01.00.01p is available here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =OPENSSL11I MANUAL ACTIONS: Yes - Update PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.31 ================== openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.01.00.01p or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 5 August 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201506-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Multiple vulnerabilities Date: June 22, 2015 Bugs: #551832 ID: 201506-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 1.0.1o >= 0.9.8z_p7 >= 1.0.1o Description =========== Multiple vulnerabilities have been found in OpenSSL. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker can cause Denial of Service and information disclosure. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSL 1.0.1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1o" All OpenSSL 0.9.8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8z_p7" References ========== [ 1 ] CVE-2014-8176 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8176 [ 2 ] CVE-2015-1788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1788 [ 3 ] CVE-2015-1789 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1789 [ 4 ] CVE-2015-1790 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1790 [ 5 ] CVE-2015-1791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1791 [ 6 ] CVE-2015-1792 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1792 [ 7 ] CVE-2015-4000 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4000 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201506-02 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security update Advisory ID: RHSA-2015:1115-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1115.html Issue date: 2015-06-15 CVE Names: CVE-2014-8176 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216 ===================================================================== 1. Summary: Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An invalid free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could cause a DTLS server or client using OpenSSL to crash or, potentially, execute arbitrary code. (CVE-2014-8176) A flaw was found in the way the OpenSSL packages shipped with Red Hat Enterprise Linux 6 and 7 performed locking in the ssleay_rand_bytes() function. This issue could possibly cause a multi-threaded application using OpenSSL to perform an out-of-bounds read and crash. (CVE-2015-3216) An out-of-bounds read flaw was found in the X509_cmp_time() function of OpenSSL. A specially crafted X.509 certificate or a Certificate Revocation List (CRL) could possibly cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2015-1789) A race condition was found in the session handling code of OpenSSL. (CVE-2015-1791) A flaw was found in the way OpenSSL handled Cryptographic Message Syntax (CMS) messages. A CMS message with an unknown hash function identifier could cause an application using OpenSSL to enter an infinite loop. (CVE-2015-1792) A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. A specially crafted PKCS#7 input with missing EncryptedContent data could cause an application using OpenSSL to crash. (CVE-2015-1790) Red Hat would like to thank the OpenSSL project for reporting CVE-2014-8176, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792 flaws. Upstream acknowledges Praveen Kariyanahalli and Ivan Fratric as the original reporters of CVE-2014-8176, Robert Swiecki and Hanno Böck as the original reporters of CVE-2015-1789, Michal Zalewski as the original reporter of CVE-2015-1790, Emilia Käsper as the original report of CVE-2015-1791 and Johannes Bauer as the original reporter of CVE-2015-1792. All openssl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1227574 - CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression 1228603 - CVE-2015-1789 OpenSSL: out-of-bounds read in X509_cmp_time 1228604 - CVE-2015-1790 OpenSSL: PKCS7 crash with missing EnvelopedContent 1228607 - CVE-2015-1792 OpenSSL: CMS verify infinite loop with unknown hash function 1228608 - CVE-2015-1791 OpenSSL: Race condition handling NewSessionTicket 1228611 - CVE-2014-8176 OpenSSL: Invalid free in DTLS 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: openssl-1.0.1e-30.el6_6.11.src.rpm i386: openssl-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm x86_64: openssl-1.0.1e-30.el6_6.11.i686.rpm openssl-1.0.1e-30.el6_6.11.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-devel-1.0.1e-30.el6_6.11.i686.rpm openssl-perl-1.0.1e-30.el6_6.11.i686.rpm openssl-static-1.0.1e-30.el6_6.11.i686.rpm x86_64: openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.11.i686.rpm openssl-devel-1.0.1e-30.el6_6.11.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.11.x86_64.rpm openssl-static-1.0.1e-30.el6_6.11.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: openssl-1.0.1e-30.el6_6.11.src.rpm x86_64: openssl-1.0.1e-30.el6_6.11.i686.rpm openssl-1.0.1e-30.el6_6.11.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.11.i686.rpm openssl-devel-1.0.1e-30.el6_6.11.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.11.x86_64.rpm openssl-static-1.0.1e-30.el6_6.11.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: openssl-1.0.1e-30.el6_6.11.src.rpm i386: openssl-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-devel-1.0.1e-30.el6_6.11.i686.rpm ppc64: openssl-1.0.1e-30.el6_6.11.ppc.rpm openssl-1.0.1e-30.el6_6.11.ppc64.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.ppc.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.ppc64.rpm openssl-devel-1.0.1e-30.el6_6.11.ppc.rpm openssl-devel-1.0.1e-30.el6_6.11.ppc64.rpm s390x: openssl-1.0.1e-30.el6_6.11.s390.rpm openssl-1.0.1e-30.el6_6.11.s390x.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.s390.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.s390x.rpm openssl-devel-1.0.1e-30.el6_6.11.s390.rpm openssl-devel-1.0.1e-30.el6_6.11.s390x.rpm x86_64: openssl-1.0.1e-30.el6_6.11.i686.rpm openssl-1.0.1e-30.el6_6.11.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.11.i686.rpm openssl-devel-1.0.1e-30.el6_6.11.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-perl-1.0.1e-30.el6_6.11.i686.rpm openssl-static-1.0.1e-30.el6_6.11.i686.rpm ppc64: openssl-debuginfo-1.0.1e-30.el6_6.11.ppc64.rpm openssl-perl-1.0.1e-30.el6_6.11.ppc64.rpm openssl-static-1.0.1e-30.el6_6.11.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-30.el6_6.11.s390x.rpm openssl-perl-1.0.1e-30.el6_6.11.s390x.rpm openssl-static-1.0.1e-30.el6_6.11.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.11.x86_64.rpm openssl-static-1.0.1e-30.el6_6.11.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: openssl-1.0.1e-30.el6_6.11.src.rpm i386: openssl-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-devel-1.0.1e-30.el6_6.11.i686.rpm x86_64: openssl-1.0.1e-30.el6_6.11.i686.rpm openssl-1.0.1e-30.el6_6.11.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.11.i686.rpm openssl-devel-1.0.1e-30.el6_6.11.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm openssl-perl-1.0.1e-30.el6_6.11.i686.rpm openssl-static-1.0.1e-30.el6_6.11.i686.rpm x86_64: openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.11.x86_64.rpm openssl-static-1.0.1e-30.el6_6.11.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: openssl-1.0.1e-42.el7_1.8.src.rpm x86_64: openssl-1.0.1e-42.el7_1.8.x86_64.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm openssl-libs-1.0.1e-42.el7_1.8.i686.rpm openssl-libs-1.0.1e-42.el7_1.8.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm openssl-devel-1.0.1e-42.el7_1.8.i686.rpm openssl-devel-1.0.1e-42.el7_1.8.x86_64.rpm openssl-perl-1.0.1e-42.el7_1.8.x86_64.rpm openssl-static-1.0.1e-42.el7_1.8.i686.rpm openssl-static-1.0.1e-42.el7_1.8.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: openssl-1.0.1e-42.el7_1.8.src.rpm x86_64: openssl-1.0.1e-42.el7_1.8.x86_64.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm openssl-libs-1.0.1e-42.el7_1.8.i686.rpm openssl-libs-1.0.1e-42.el7_1.8.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm openssl-devel-1.0.1e-42.el7_1.8.i686.rpm openssl-devel-1.0.1e-42.el7_1.8.x86_64.rpm openssl-perl-1.0.1e-42.el7_1.8.x86_64.rpm openssl-static-1.0.1e-42.el7_1.8.i686.rpm openssl-static-1.0.1e-42.el7_1.8.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openssl-1.0.1e-42.el7_1.8.src.rpm ppc64: openssl-1.0.1e-42.el7_1.8.ppc64.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.ppc.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.ppc64.rpm openssl-devel-1.0.1e-42.el7_1.8.ppc.rpm openssl-devel-1.0.1e-42.el7_1.8.ppc64.rpm openssl-libs-1.0.1e-42.el7_1.8.ppc.rpm openssl-libs-1.0.1e-42.el7_1.8.ppc64.rpm s390x: openssl-1.0.1e-42.el7_1.8.s390x.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.s390.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.s390x.rpm openssl-devel-1.0.1e-42.el7_1.8.s390.rpm openssl-devel-1.0.1e-42.el7_1.8.s390x.rpm openssl-libs-1.0.1e-42.el7_1.8.s390.rpm openssl-libs-1.0.1e-42.el7_1.8.s390x.rpm x86_64: openssl-1.0.1e-42.el7_1.8.x86_64.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm openssl-devel-1.0.1e-42.el7_1.8.i686.rpm openssl-devel-1.0.1e-42.el7_1.8.x86_64.rpm openssl-libs-1.0.1e-42.el7_1.8.i686.rpm openssl-libs-1.0.1e-42.el7_1.8.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openssl-1.0.1e-42.ael7b_1.8.src.rpm ppc64le: openssl-1.0.1e-42.ael7b_1.8.ppc64le.rpm openssl-debuginfo-1.0.1e-42.ael7b_1.8.ppc64le.rpm openssl-devel-1.0.1e-42.ael7b_1.8.ppc64le.rpm openssl-libs-1.0.1e-42.ael7b_1.8.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: openssl-debuginfo-1.0.1e-42.el7_1.8.ppc.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.ppc64.rpm openssl-perl-1.0.1e-42.el7_1.8.ppc64.rpm openssl-static-1.0.1e-42.el7_1.8.ppc.rpm openssl-static-1.0.1e-42.el7_1.8.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-42.el7_1.8.s390.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.s390x.rpm openssl-perl-1.0.1e-42.el7_1.8.s390x.rpm openssl-static-1.0.1e-42.el7_1.8.s390.rpm openssl-static-1.0.1e-42.el7_1.8.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm openssl-perl-1.0.1e-42.el7_1.8.x86_64.rpm openssl-static-1.0.1e-42.el7_1.8.i686.rpm openssl-static-1.0.1e-42.el7_1.8.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64le: openssl-debuginfo-1.0.1e-42.ael7b_1.8.ppc64le.rpm openssl-perl-1.0.1e-42.ael7b_1.8.ppc64le.rpm openssl-static-1.0.1e-42.ael7b_1.8.ppc64le.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openssl-1.0.1e-42.el7_1.8.src.rpm x86_64: openssl-1.0.1e-42.el7_1.8.x86_64.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm openssl-devel-1.0.1e-42.el7_1.8.i686.rpm openssl-devel-1.0.1e-42.el7_1.8.x86_64.rpm openssl-libs-1.0.1e-42.el7_1.8.i686.rpm openssl-libs-1.0.1e-42.el7_1.8.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm openssl-perl-1.0.1e-42.el7_1.8.x86_64.rpm openssl-static-1.0.1e-42.el7_1.8.i686.rpm openssl-static-1.0.1e-42.el7_1.8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8176 https://access.redhat.com/security/cve/CVE-2015-1789 https://access.redhat.com/security/cve/CVE-2015-1790 https://access.redhat.com/security/cve/CVE-2015-1791 https://access.redhat.com/security/cve/CVE-2015-1792 https://access.redhat.com/security/cve/CVE-2015-3216 https://access.redhat.com/security/updates/classification/#moderate https://www.openssl.org/news/secadv_20150611.txt 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVf0NNXlSAg2UNWIIRArL4AJ9e7lbD/4Nks5midR5o3E4Bs5lQWQCgnrvk ZyXizCcFL9oAQexObjxp/Mo= =PXiY -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1n-i486-1_slack14.1.txz: Upgraded. +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated packages for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8zg-i486-1_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8zg-i486-1_slack13.0.txz Updated packages for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8zg-x86_64-1_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8zg-x86_64-1_slack13.0.txz Updated packages for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8zg-i486-1_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8zg-i486-1_slack13.1.txz Updated packages for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8zg-x86_64-1_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8zg-x86_64-1_slack13.1.txz Updated packages for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-0.9.8zg-i486-1_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-solibs-0.9.8zg-i486-1_slack13.37.txz Updated packages for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-0.9.8zg-x86_64-1_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-solibs-0.9.8zg-x86_64-1_slack13.37.txz Updated packages for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1n-i486-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1n-i486-1_slack14.0.txz Updated packages for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1n-x86_64-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1n-x86_64-1_slack14.0.txz Updated packages for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1n-i486-1_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1n-i486-1_slack14.1.txz Updated packages for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1n-x86_64-1_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1n-x86_64-1_slack14.1.txz Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1n-i586-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1n-i586-1.txz Updated packages for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1n-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1n-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 packages: 383ecfed6bfef1440a44d7082745848a openssl-0.9.8zg-i486-1_slack13.0.txz fb186187ffa200e22d9450a9d0e321f6 openssl-solibs-0.9.8zg-i486-1_slack13.0.txz Slackware x86_64 13.0 packages: eb52318ed52fef726402f0b2a74745c5 openssl-0.9.8zg-x86_64-1_slack13.0.txz 9447927b960a01b21149e28a9783021f openssl-solibs-0.9.8zg-x86_64-1_slack13.0.txz Slackware 13.1 packages: 37f46f6b4fe2acbe217eaf7c0b33b704 openssl-0.9.8zg-i486-1_slack13.1.txz 986de2e71676f61d788a59a1e0c8de1f openssl-solibs-0.9.8zg-i486-1_slack13.1.txz Slackware x86_64 13.1 packages: 6b160ce817dcde3ae5b3a861b284387b openssl-0.9.8zg-x86_64-1_slack13.1.txz 503d891680c711162386ea7e3daadca8 openssl-solibs-0.9.8zg-x86_64-1_slack13.1.txz Slackware 13.37 packages: 5e7501b1d73d01d3d87704c3cfd3a888 openssl-0.9.8zg-i486-1_slack13.37.txz 874f0b59870dd3f259640c9930a02f99 openssl-solibs-0.9.8zg-i486-1_slack13.37.txz Slackware x86_64 13.37 packages: b6d91614458040d461dff3c3eab45206 openssl-0.9.8zg-x86_64-1_slack13.37.txz be106df5e59c2be7fa442df8ba85ad0b openssl-solibs-0.9.8zg-x86_64-1_slack13.37.txz Slackware 14.0 packages: ee7c3937e6a6d7ac7537f751af7da7b9 openssl-1.0.1n-i486-1_slack14.0.txz 758662437d33f99ec0a686cedeb1919e openssl-solibs-1.0.1n-i486-1_slack14.0.txz Slackware x86_64 14.0 packages: 2dfdc4729e93cf460018e9e30a6223dc openssl-1.0.1n-x86_64-1_slack14.0.txz 9cb4b34e97e60f6bfe4c843aabeae954 openssl-solibs-1.0.1n-x86_64-1_slack14.0.txz Slackware 14.1 packages: 5a9bf08d55615cfc097109c2e3786f7b openssl-1.0.1n-i486-1_slack14.1.txz fb1c05468e5c38d51a8ff6ac435e3a20 openssl-solibs-1.0.1n-i486-1_slack14.1.txz Slackware x86_64 14.1 packages: 1ef5cede3f954c3e4741012ffa76b750 openssl-1.0.1n-x86_64-1_slack14.1.txz ea22c288c60ae1d7ea8c5b3a1608462b openssl-solibs-1.0.1n-x86_64-1_slack14.1.txz Slackware -current packages: 56db8712d653c060f910e8915a8f8656 a/openssl-solibs-1.0.1n-i586-1.txz 6d6264c9943e27240db5c8f5ec342e27 n/openssl-1.0.1n-i586-1.txz Slackware x86_64 -current packages: e73f7aff5aa0ad14bc06428544f99ae2 a/openssl-solibs-1.0.1n-x86_64-1.txz 91b550b9eb0ac0c580e158375a93c0e4 n/openssl-1.0.1n-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the packages as root: # upgradepkg openssl-1.0.1n-i486-1_slack14.1.txz openssl-solibs-1.0.1n-i486-1_slack14.1.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. The vulnerabilities could be exploited remotely resulting in Denial of Service (DoS)

AFFECTED PRODUCTS