[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97147

 
 

909

 
 

78764

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

ALAS-2015-550 --- openssl

ID: oval:org.secpod.oval:def:1200038Date: (C)2015-12-30   (M)2017-11-10
Class: PATCHFamily: unix




LOGJAM: A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange . An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. An out-of-bounds read flaw was found in the X509_cmp_time function of OpenSSL, which is used to test the expiry dates of SSL/TLS certificates. An attacker could possibly use a specially-crafted SSL/TLS certificate or CRL , which when parsed by an application would cause that application to crash. A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash. TLS/SSL clients and servers using OpenSSL were not affected by this flaw. A race condition was found in the session handling code of OpenSSL. An attacker could cause a multi-threaded SSL/TLS server to crash. A denial of service flaw was found in OpenSSL in the way it verified certain signed messages using CMS . A remote attacker could cause an application using OpenSSL to use excessive amounts of memory by sending a specially-crafted message for verification. An invalid-free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could send a specially-crafted message to the peer, which could cause the application to crash or potentially cause arbitrary code execution. A regression was found in the ssleay_rand_bytes function. This could lead a multi-threaded application to crash

Platform:
Amazon Linux AMI
Product:
openssl
Reference:
ALAS-2015-550
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
CVE-2014-8176
CVE-2015-3216
CVE-2015-4000
CVE    7
CVE-2015-3216
CVE-2014-8176
CVE-2015-1791
CVE-2015-1792
...
CPE    62
cpe:/o:amazon:linux
cpe:/a:openssl:openssl:1.0.1k
cpe:/a:openssl:openssl:1.0.2
cpe:/a:openssl:openssl:1.0.1m
...

© 2013 SecPod Technologies