openssl-1.0.1e-48.4.0.1.AXS4
エラータID: AXSA:2017-1308:01
リリース日:
2017/02/24 Friday - 14:44
題名:
openssl-1.0.1e-48.4.0.1.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- OpenSSL のコネクションのハンドシェーク中に TSL/SSL プロトコルが ALERT
パケットの処理を定義する方法にサービス拒否の欠陥があり,リモートの攻撃者が
TLS/SSL サーバの CPU を過剰に消費させ,他のクライアントからのコネクション
を受け付けることに失敗する脆弱性があります。 (CVE-2016-8610)
- 現時点では CVE-2017-3731 の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2016-8610
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
追加情報:
N/A
ダウンロード:
SRPMS
- openssl-1.0.1e-48.4.0.1.AXS4.src.rpm
MD5: ffba475dcd012b54b123c808c3a6780a
SHA-256: 767fe4188efa00d8d22fcff2976102b9937a22294c4babd59b05860f9384df36
Size: 3.11 MB
Asianux Server 4 for x86
- openssl-1.0.1e-48.4.0.1.AXS4.i686.rpm
MD5: 308f2af91e80529f36c9543a0bb52de0
SHA-256: 3ad1420c10042d6d40a1332bbcc1f88a1f08f2f6de2964583568d08a583bc044
Size: 1.52 MB - openssl-devel-1.0.1e-48.4.0.1.AXS4.i686.rpm
MD5: 67882b778c455924f3f88956f7992024
SHA-256: 2c21ed151ee60152cf385e8744065820b0bf2ac46a9878e2005977782a13a57b
Size: 1.17 MB
Asianux Server 4 for x86_64
- openssl-1.0.1e-48.4.0.1.AXS4.x86_64.rpm
MD5: ff3347db11d0e0b470a231332b0eabf7
SHA-256: cc41927b4c633070151e99b3ff10cc2f8297de9574d9899da35b0696f033191f
Size: 1.52 MB - openssl-devel-1.0.1e-48.4.0.1.AXS4.x86_64.rpm
MD5: 0eaddcf9252de20d2338d5e51a85de50
SHA-256: ea86d824b3faf11dafc4a8617416b30191803b7a4888c0a76dfd41381aa67e44
Size: 1.17 MB - openssl-1.0.1e-48.4.0.1.AXS4.i686.rpm
MD5: 308f2af91e80529f36c9543a0bb52de0
SHA-256: 3ad1420c10042d6d40a1332bbcc1f88a1f08f2f6de2964583568d08a583bc044
Size: 1.52 MB - openssl-devel-1.0.1e-48.4.0.1.AXS4.i686.rpm
MD5: 67882b778c455924f3f88956f7992024
SHA-256: 2c21ed151ee60152cf385e8744065820b0bf2ac46a9878e2005977782a13a57b
Size: 1.17 MB