Debian OpenSSL vulnerabilities

CVE-2019-1549 [MEDIUM] CVE-2019-1549: openssl - OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was int... OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high pre

CVE-2019-1559 [MEDIUM] CVE-2019-1559: openssl - If an application encounters a fatal protocol error and then calls SSL_shutdown(... If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently b

CVE-2019-1563 [LOW] CVE-2019-1563: openssl - In situations where an attacker receives automated notification of the success o... In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. App

CVE-2019-1551 [MEDIUM] CVE-2019-1551: openssl - There is an overflow bug in the x64_64 Montgomery squaring procedure used in exp... There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasib

CVE-2019-1552 [LOW] CVE-2019-1552: openssl - OpenSSL has internal defaults for a directory tree where it can find a configura... OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting

CVE-2019-1543 [HIGH] CVE-2019-1543: openssl - ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every... ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case o

CVE-2018-5407 [MEDIUM] CVE-2018-5407: openssl - Simultaneous Multi-threading (SMT) in processors can enable local users to explo... Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. Scope: local bookworm: resolved (fixed in 1.1.1~~pre9-1) bullseye: resolved (fixed in 1.1.1~~pre9-1) forky: resolved (fixed in 1.1.1~~pre9-1) sid: resolved (fixed in 1.1.1~~pre9-1) trixie: res

CVE-2018-0734 [MEDIUM] CVE-2018-0734: openssl - The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing ... The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). Scope: local bookworm: resolved (fixed in

CVE-2018-0735 [MEDIUM] CVE-2018-0735: openssl - The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timin... The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Scope: local bookworm: resolved (fixed in 1.1.1a-1) bullseye: resolved (fixed in 1.1.1a-

CVE-2018-0733 [MEDIUM] CVE-2018-0733: openssl - Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effective... Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX ass

CVE-2018-0732 [HIGH] CVE-2018-0732: openssl - During key agreement in a TLS handshake using a DH(E) based ciphersuite a malici... During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1

CVE-2018-0739 [MEDIUM] CVE-2018-0739: libtomcrypt - Constructed ASN.1 types with a recursive definition (such as can be found in PKC... Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0

CVE-2018-0737 [MEDIUM] CVE-2018-0737: openssl - The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a ca... The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o). Scope: local bo

CVE-2017-3733 [HIGH] CVE-2017-3733: openssl - During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated... During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected. Scope: local bookworm: resolved (fixed in 1.1.0e-1) bullseye: resolved (fixed in 1.1.0e-1) forky: resolved

CVE-2017-3731 [HIGH] CVE-2017-3731: openssl - If an SSL/TLS server or client is running on a 32-bit host, and a specific ciphe... If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered

CVE-2017-3732 [HIGH] CVE-2017-3732: openssl - There is a carry propagating bug in the x86_64 Montgomery squaring procedure in ... There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very d

CVE-2017-3730 [HIGH] CVE-2017-3730: openssl - In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters fo... In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. Scope: local bookworm: resolved (fixed in 1.1.0d-1) bullseye: resolved (fixed in 1.1.0d-1) forky: reso

CVE-2017-3736 [MEDIUM] CVE-2017-3736: openssl - There is a carry propagating bug in the x86_64 Montgomery squaring procedure in ... There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very diffi

CVE-2017-3737 [MEDIUM] CVE-2017-3737: openssl - OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechani... OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_c

CVE-2017-3735 [MEDIUM] CVE-2017-3735: openssl - While parsing an IPAddressFamily extension in an X.509 certificate, it is possib... While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g. Scope: local bookworm: resolved (fixed in 1.1.0g-1) bullseye: resolved (fixed in 1.1.0