Description: | Summary: Several vulnerabilities were discovered in OpenSSL:
CVE-2016-2177 Guido Vranken discovered that OpenSSL uses undefined pointer arithmetic.
CVE-2016-2178 Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing leak in the DSA code.
CVE-2016-2179 / CVE-2016-2181 Quan Luo and the OCAP audit team discovered denial of service vulnerabilities in DTLS.
CVE-2016-2180 / CVE-2016-2182 / CVE-2016-6303 Shi Lei discovered an out-of-bounds memory read in TS_OBJ_print_bio() and an out-of-bounds write in BN_bn2dec() and MDC2_Update().
CVE-2016-2183 DES-based cipher suites are demoted from the HIGH group to MEDIUM as a mitigation for the SWEET32 attack.
CVE-2016-6302 Shi Lei discovered that the use of SHA512 in TLS session tickets is susceptible to denial of service.
CVE-2016-6304 Shi Lei discovered that excessively large OCSP status request may result in denial of service via memory exhaustion.
CVE-2016-6306 Shi Lei discovered that missing message length validation when parsing certificates may potentially result in denial of service.
Affected Software/OS: openssl on Debian Linux
Solution: For the stable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u4.
For the unstable distribution (sid), these problems will be fixed soon.
We recommend that you upgrade your openssl packages.
CVSS Score: 7.8
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
|