{ "Definition": [ { "ID": "oval:org.altlinux.errata:def:20162005", "Version": "oval:org.altlinux.errata:def:20162005", "Class": "patch", "Metadata": { "Title": "ALT-PU-2016-2005: package `openssl10` update to version 1.0.2i-alt1", "AffectedList": [ { "Family": "unix", "Platforms": [ "ALT Linux branch p11" ], "Products": [ "ALT Container" ] } ], "References": [ { "RefID": "ALT-PU-2016-2005", "RefURL": "https://errata.altlinux.org/ALT-PU-2016-2005", "Source": "ALTPU" }, { "RefID": "BDU:2016-02167", "RefURL": "https://bdu.fstec.ru/vul/2016-02167", "Source": "BDU" }, { "RefID": "BDU:2016-02168", "RefURL": "https://bdu.fstec.ru/vul/2016-02168", "Source": "BDU" }, { "RefID": "BDU:2019-01911", "RefURL": "https://bdu.fstec.ru/vul/2019-01911", "Source": "BDU" }, { "RefID": "BDU:2019-01912", "RefURL": "https://bdu.fstec.ru/vul/2019-01912", "Source": "BDU" }, { "RefID": "BDU:2021-03140", "RefURL": "https://bdu.fstec.ru/vul/2021-03140", "Source": "BDU" }, { "RefID": "BDU:2022-02461", "RefURL": "https://bdu.fstec.ru/vul/2022-02461", "Source": "BDU" }, { "RefID": "BDU:2022-02462", "RefURL": "https://bdu.fstec.ru/vul/2022-02462", "Source": "BDU" }, { "RefID": "BDU:2022-02556", "RefURL": "https://bdu.fstec.ru/vul/2022-02556", "Source": "BDU" }, { "RefID": "BDU:2022-02557", "RefURL": "https://bdu.fstec.ru/vul/2022-02557", "Source": "BDU" }, { "RefID": "BDU:2022-02559", "RefURL": "https://bdu.fstec.ru/vul/2022-02559", "Source": "BDU" }, { "RefID": "CVE-2016-2177", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-2177", "Source": "CVE" }, { "RefID": "CVE-2016-2179", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-2179", "Source": "CVE" }, { "RefID": "CVE-2016-2180", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-2180", "Source": "CVE" }, { "RefID": "CVE-2016-2181", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-2181", "Source": "CVE" }, { "RefID": "CVE-2016-2182", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-2182", "Source": "CVE" }, { "RefID": "CVE-2016-2183", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183", "Source": "CVE" }, { "RefID": "CVE-2016-6302", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-6302", "Source": "CVE" }, { "RefID": "CVE-2016-6303", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-6303", "Source": "CVE" }, { "RefID": "CVE-2016-6304", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-6304", "Source": "CVE" }, { "RefID": "CVE-2016-6306", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-6306", "Source": "CVE" } ], "Description": "This update upgrades openssl10 to version 1.0.2i-alt1. \nSecurity Fix(es):\n\n * BDU:2016-02167: Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие\n\n * BDU:2016-02168: Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2019-01911: Уязвимость в файле t1_lib.c библиотеки OpenSSL, позволяющие нарушителю вызвать отказ в обслуживании\n\n * BDU:2019-01912: Уязвимость функции MDC2_Update библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03140: Уязвимость алгоритмов шифрования DES и Triple DES, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2022-02461: Уязвимость библиотеки OpenSSL, связанная с чтением за границами буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-02462: Уязвимость функции tls_decrypt_ticket (ssl/t1_lib.c) библиотеки OpenSSL существует из-за недостаточной проверки входных данных, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-02556: Уязвимость функции ts_obj_print_bio библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-02557: Уязвимость реализации протокола DTLS библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-02559: Уязвимость библиотеки OpenSSL, вызванная целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании или, возможно, оказать другое воздействие\n\n * CVE-2016-2177: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.\n\n * CVE-2016-2179: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.\n\n * CVE-2016-2180: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the \"openssl ts\" command.\n\n * CVE-2016-2181: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.\n\n * CVE-2016-2182: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.\n\n * CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.\n\n * CVE-2016-6302: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.\n\n * CVE-2016-6303: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.\n\n * CVE-2016-6304: Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.\n\n * CVE-2016-6306: The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.", "Advisory": { "From": "errata.altlinux.org", "Severity": "Critical", "Rights": "Copyright 2024 BaseALT Ltd.", "Issued": { "Date": "2016-09-22" }, "Updated": { "Date": "2016-09-22" }, "BDUs": [ { "ID": "BDU:2016-02167", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CWE": "CWE-125", "Href": "https://bdu.fstec.ru/vul/2016-02167", "Impact": "High", "Public": "20160916" }, { "ID": "BDU:2016-02168", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CWE": "CWE-189", "Href": "https://bdu.fstec.ru/vul/2016-02168", "Impact": "Low", "Public": "20160916" }, { "ID": "BDU:2019-01911", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-399", "Href": "https://bdu.fstec.ru/vul/2019-01911", "Impact": "High", "Public": "20160829" }, { "ID": "BDU:2019-01912", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-787", "Href": "https://bdu.fstec.ru/vul/2019-01912", "Impact": "Critical", "Public": "20160811" }, { "ID": "BDU:2021-03140", "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "CWE": "CWE-200", "Href": "https://bdu.fstec.ru/vul/2021-03140", "Impact": "High", "Public": "20160831" }, { "ID": "BDU:2022-02461", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-125", "Href": "https://bdu.fstec.ru/vul/2022-02461", "Impact": "Low", "Public": "20160926" }, { "ID": "BDU:2022-02462", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-20", "Href": "https://bdu.fstec.ru/vul/2022-02462", "Impact": "High", "Public": "20160916" }, { "ID": "BDU:2022-02556", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-125", "Href": "https://bdu.fstec.ru/vul/2022-02556", "Impact": "High", "Public": "20160801" }, { "ID": "BDU:2022-02557", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-399", "Href": "https://bdu.fstec.ru/vul/2022-02557", "Impact": "High", "Public": "20160916" }, { "ID": "BDU:2022-02559", "CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-190", "Href": "https://bdu.fstec.ru/vul/2022-02559", "Impact": "Critical", "Public": "20160620" } ], "CVEs": [ { "ID": "CVE-2016-2177", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-190", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-2177", "Impact": "Critical", "Public": "20160620" }, { "ID": "CVE-2016-2179", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-399", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-2179", "Impact": "High", "Public": "20160916" }, { "ID": "CVE-2016-2180", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-125", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-2180", "Impact": "High", "Public": "20160801" }, { "ID": "CVE-2016-2181", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-189", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-2181", "Impact": "High", "Public": "20160916" }, { "ID": "CVE-2016-2182", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-787", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-2182", "Impact": "Critical", "Public": "20160916" }, { "ID": "CVE-2016-2183", "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "CWE": "CWE-200", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183", "Impact": "High", "Public": "20160901" }, { "ID": "CVE-2016-6302", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-20", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-6302", "Impact": "High", "Public": "20160916" }, { "ID": "CVE-2016-6303", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-787", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-6303", "Impact": "Critical", "Public": "20160916" }, { "ID": "CVE-2016-6304", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-401", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-6304", "Impact": "High", "Public": "20160926" }, { "ID": "CVE-2016-6306", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-125", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-6306", "Impact": "Low", "Public": "20160926" } ], "AffectedCPEs": { "CPEs": [ "cpe:/o:alt:container:11" ] } } }, "Criteria": { "Operator": "AND", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:3001", "Comment": "ALT Linux must be installed" } ], "Criterias": [ { "Operator": "OR", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:20162005001", "Comment": "libcrypto10 is earlier than 0:1.0.2i-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162005002", "Comment": "libssl-devel is earlier than 0:1.0.2i-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162005003", "Comment": "libssl-devel-static is earlier than 0:1.0.2i-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162005004", "Comment": "libssl10 is earlier than 0:1.0.2i-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162005005", "Comment": "openssl is earlier than 0:1.0.2i-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162005006", "Comment": "openssl-doc is earlier than 0:1.0.2i-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162005007", "Comment": "openssl-engines is earlier than 0:1.0.2i-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162005008", "Comment": "tsget is earlier than 0:1.0.2i-alt1" } ] } ] } } ] }