Debian OpenSSL vulnerabilities

CVE-2016-2105 [HIGH] CVE-2016-2105: openssl - Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in Open... Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data. Scope: local bookworm: resolved (fixed in 1.0.2h-1) bullseye: resolved (fixed in 1.0.2h-1) forky: resolved (fixed in 1.0.2h-1) sid: res

CVE-2016-0800 [MEDIUM] CVE-2016-0800: nss - The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and... The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. Scope:

CVE-2016-0703 [MEDIUM] CVE-2016-0703: openssl - The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in O... The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by lever

CVE-2016-6306 [MEDIUM] CVE-2016-6306: openssl - The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might al... The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. Scope: local bookworm: resolved (fixed in 1.0.2i-1) bullseye: resolved (fixed in 1.0.2i-1) forky: resolved (fixed in 1.0.2i-1) sid: resolved (fix

CVE-2016-7056 [MEDIUM] CVE-2016-7056: openssl - A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a m... A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys. Scope: local bookworm: resolved (fixed in 1.0.2a-1) bullseye: resolved (fixed in 1.0.2a-1) forky: resolved (fixed in 1.0.2a-1) sid: resolved (fixed in 1.0.2a-1) trixie: resolved (fixed in 1.0.2a-1)

CVE-2016-0704 [MEDIUM] CVE-2016-0704: openssl - An oracle protection mechanism in the get_client_master_key function in s2_srvr.... An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a B

CVE-2016-0702 [MEDIUM] CVE-2016-0702: openssl - The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0... The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-

CVE-2016-2177 [CRITICAL] CVE-2016-2177: openssl - OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer bound... OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c. Scope: local bookworm: resolved (fixe

CVE-2016-6308 [MEDIUM] CVE-2016-6308: openssl - statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a a... statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-2107 [LOW] CVE-2016-2107: openssl - The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does ... The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169. Scope: local bookworm

CVE-2016-2178 [MEDIUM] CVE-2016-2178: openssl - The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h d... The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. Scope: local bookworm: resolved (fixed in 1.0.2i-1) bullseye: resolved (fixed in 1.0.2i-1) forky: resolved (fixed in 1.0.2i-1

CVE-2016-6307 [MEDIUM] CVE-2016-6307: openssl - The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory... The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved tr

CVE-2016-6309 [CRITICAL] CVE-2016-6309: openssl - statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after ... statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-6305 [HIGH] CVE-2016-6305: openssl - The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.... The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-0701 [LOW] CVE-2016-0701: openssl - The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.... The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 fi

CVE-2016-7055 [MEDIUM] CVE-2016-7055: openssl - There is a carry propagating bug in the Broadwell-specific Montgomery multiplica... There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the pri

CVE-2016-2176 [HIGH] CVE-2016-2176: openssl - The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1... The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2015-3193 [HIGH] CVE-2015-3193: openssl - The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenS... The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2

CVE-2015-1789 [HIGH] CVE-2015-1789: openssl - The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, ... The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication

CVE-2015-0292 [HIGH] CVE-2015-0292: openssl - Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the... Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow. Scope: local b