Please tell us about how to correspond with vulnerability CVE-2016-6304 of OpenSSL.
I use the CentOS6.6 and openssl1.0.1.
I have confirmed the latest updates in the yum command but the latest version is not corresponding with thevulnerability CVE-2016-6304.
# rpm -q openssl
openssl-1.0.1e-48.el6_8.1.x86_64
# rpm -q --changelog openssl | head
* Mon May 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
- fix CVE-2016-0799 - memory issues in BIO_printf
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48
- fix CVE-2016-0702 - side channel attack on modular exponentiation
# yum list-sec cves
Loaded plugins: fastestmirror, security
updateinfo list done
OpenSSL 1.0.1 vulnerability CVE-2016-6304
Re: OpenSSL 1.0.1 vulnerability CVE-2016-6304
CVE-2016-6304 got fixed in openssl-1.0.1e-48.el6_8.3 yesterday by Red Hat. The corresponding CentOS package should be released to the mirrors any moment now.
Note that "yum list-sec cves" does not list any CentOS packages, because CentOS does not currently publish the required data for that functionality.
Note that "yum list-sec cves" does not list any CentOS packages, because CentOS does not currently publish the required data for that functionality.
Re: OpenSSL 1.0.1 vulnerability CVE-2016-6304
The update has now been released. It may take a few hours before the updated packages reach your local mirror.
-
- Posts: 2
- Joined: 2016/09/28 08:18:44
Re: OpenSSL 1.0.1 vulnerability CVE-2016-6304
Thank you for your help!
The update succeeded!
# rpm -q --changelog openssl | head -n 20
* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.3
- fix CVE-2016-2177 - possible integer overflow
- fix CVE-2016-2178 - non-constant time DSA operations
- fix CVE-2016-2179 - further DoS issues in DTLS
- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()
- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue
- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()
- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check
- fix CVE-2016-6304 - unbound memory growth with OCSP status request
- fix CVE-2016-6306 - certificate message OOB reads
- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
112 bit effective strength
- replace expired testing certificates
The update succeeded!
# rpm -q --changelog openssl | head -n 20
* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.3
- fix CVE-2016-2177 - possible integer overflow
- fix CVE-2016-2178 - non-constant time DSA operations
- fix CVE-2016-2179 - further DoS issues in DTLS
- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()
- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue
- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()
- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check
- fix CVE-2016-6304 - unbound memory growth with OCSP status request
- fix CVE-2016-6306 - certificate message OOB reads
- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
112 bit effective strength
- replace expired testing certificates