OpenSSL 1.0.1 vulnerability CVE-2016-6304

Support for security such as Firewalls and securing linux
Post Reply
T.Yamamoto
Posts: 2
Joined: 2016/09/28 08:18:44

OpenSSL 1.0.1 vulnerability CVE-2016-6304

Post by T.Yamamoto » 2016/09/28 08:32:16

Please tell us about how to correspond with vulnerability CVE-2016-6304 of OpenSSL.
I use the CentOS6.6 and openssl1.0.1.

I have confirmed the latest updates in the yum command but the latest version is not corresponding with thevulnerability CVE-2016-6304.

# rpm -q openssl
openssl-1.0.1e-48.el6_8.1.x86_64

# rpm -q --changelog openssl | head
* Mon May 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
- fix CVE-2016-0799 - memory issues in BIO_printf

* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48
- fix CVE-2016-0702 - side channel attack on modular exponentiation

# yum list-sec cves
Loaded plugins: fastestmirror, security
updateinfo list done

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: OpenSSL 1.0.1 vulnerability CVE-2016-6304

Post by avij » 2016/09/28 10:22:09

CVE-2016-6304 got fixed in openssl-1.0.1e-48.el6_8.3 yesterday by Red Hat. The corresponding CentOS package should be released to the mirrors any moment now.

Note that "yum list-sec cves" does not list any CentOS packages, because CentOS does not currently publish the required data for that functionality.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: OpenSSL 1.0.1 vulnerability CVE-2016-6304

Post by avij » 2016/09/28 15:30:35

The update has now been released. It may take a few hours before the updated packages reach your local mirror.

T.Yamamoto
Posts: 2
Joined: 2016/09/28 08:18:44

Re: OpenSSL 1.0.1 vulnerability CVE-2016-6304

Post by T.Yamamoto » 2016/09/29 03:06:47

Thank you for your help!
The update succeeded!

# rpm -q --changelog openssl | head -n 20
* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.3
- fix CVE-2016-2177 - possible integer overflow
- fix CVE-2016-2178 - non-constant time DSA operations
- fix CVE-2016-2179 - further DoS issues in DTLS
- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()
- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue
- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()
- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check
- fix CVE-2016-6304 - unbound memory growth with OCSP status request
- fix CVE-2016-6306 - certificate message OOB reads
- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
112 bit effective strength
- replace expired testing certificates

Post Reply