openssl-1.0.1e-30.AXS4.7

エラータID: AXSA:2015-090:02

Release date: 
Monday, March 30, 2015 - 23:50
Subject: 
openssl-1.0.1e-30.AXS4.7
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

Security issues fixed with this release:

CVE-2015-0209
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.

CVE-2015-0286
The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.

CVE-2015-0287
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.

CVE-2015-0288
The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.

CVE-2015-0289
The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.

CVE-2015-0292
Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.

CVE-2015-0293
The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.

Solution: 

Update package.

Additional Info: 

N/A

Download: 

SRPMS
  1. openssl-1.0.1e-30.AXS4.7.src.rpm
    MD5: ad53fdd8d3f0b55fbd6c63b00407276a
    SHA-256: 83d827328d69a3b1fc69ebdb53bc6af3169930876b4b562104db61e99dc39f5f
    Size: 3.05 MB

Asianux Server 4 for x86
  1. openssl-1.0.1e-30.AXS4.7.i686.rpm
    MD5: 2bbaefb0bfad7350f01747c3eb12d569
    SHA-256: af7683dfb8a6e7d6528f19f2a6482d4e5837f5af3b330a868d27fb346e73ad25
    Size: 1.51 MB
  2. openssl-devel-1.0.1e-30.AXS4.7.i686.rpm
    MD5: a4f408e731e2bdfee699c7dcafcc6131
    SHA-256: 1292fe0aecc40aaa1efef129c2488bd16029c8b09058369a91276426aec0f2aa
    Size: 1.17 MB

Asianux Server 4 for x86_64
  1. openssl-1.0.1e-30.AXS4.7.x86_64.rpm
    MD5: 25a35663cf0ecc8fe5776315514a6154
    SHA-256: dbe75f5a9e16d4a90e8bf66395df43c25a9699cbef8428b843b4b87e4712ec46
    Size: 1.52 MB
  2. openssl-devel-1.0.1e-30.AXS4.7.x86_64.rpm
    MD5: 969ad5cd62af1c7367d9d949951821ef
    SHA-256: 32f3772168040e930eca1d670c094f968e3834fb0db484ba533edbe740e88d7d
    Size: 1.17 MB
  3. openssl-1.0.1e-30.AXS4.7.i686.rpm
    MD5: 2bbaefb0bfad7350f01747c3eb12d569
    SHA-256: af7683dfb8a6e7d6528f19f2a6482d4e5837f5af3b330a868d27fb346e73ad25
    Size: 1.51 MB
  4. openssl-devel-1.0.1e-30.AXS4.7.i686.rpm
    MD5: a4f408e731e2bdfee699c7dcafcc6131
    SHA-256: 1292fe0aecc40aaa1efef129c2488bd16029c8b09058369a91276426aec0f2aa
    Size: 1.17 MB