| Errata ID | 302 |
|---|---|
| Date | 2015-09-02 |
| Source package | openssl |
| Fixed in version | 1.0.1e-2.103.201508290009 |
| Description | Multiple security vulnerabilities have been fixed in openssl: * Invalid free in DTLS (CVE-2014-8176) * Malformed ECParameters causes infinite loop (CVE-2015-1788) * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) * PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) * race condition in NewSessionTicket (CVE-2015-1791) * CMS verify infinite loop with unknown hash function (CVE-2015-1792) * The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. (CVE-2015-4000) |
| Additional notes | |
| CVE ID | CVE-2014-8176 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-4000 |
| UCS Bug number | #38691 |
