[EPEL-devel] Fedora EPEL 5 updates-testing report

updates Wed, 22 Feb 2017 10:18:19 -0800

The following Fedora EPEL 5 Security updates need testing:
 Age  URL
 836  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-3849   
sblim-sfcb-1.3.8-2.el5
 479  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-edbea40516   
mcollective-2.8.4-1.el5
 450  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-582c8075e6   
thttpd-2.25b-24.el5
  61  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ce45574ab6   
libbsd-0.8.3-2.el5
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-90b2cbfdaf   
openssl101e-1.0.1e-10.el5



The following builds have been pushed to Fedora EPEL 5 updates-testing

    openssl101e-1.0.1e-10.el5

Details about builds:


================================================================================
 openssl101e-1.0.1e-10.el5 (FEDORA-EPEL-2017-90b2cbfdaf)
 A general purpose cryptography library with TLS implementation
--------------------------------------------------------------------------------
Update Information:

OpenSSL =======  Security Fixes --------------    * An integer underflow leading
to an out of bounds read flaw was found in OpenSSL. A remote attacker could
possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL
if it used the RC4-MD5 cipher suite. (CVE-2017-3731)   * A denial of service
flaw was found in the way the TLS/SSL protocol defined processing of ALERT
packets during a connection handshake. A remote attacker could use this flaw to
make a TLS/SSL server consume an excessive amount of CPU and fail to accept
connections form other clients. (CVE-2016-8610)   * The signing function in
crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to
timing attacks when signing with the standardized elliptic curve P-256 despite
featuring constant-time curve operations and modular inversion. A software
defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a
secure code path in the BN_mod_inverse method and therefore resulting in a
cache-timing attack vulnerability. A malicious user with local access can
recover ECDSA P-256 private keys. (CVE-2016-7056)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT 
packets could cause remote DoS
        https://bugzilla.redhat.com/show_bug.cgi?id=1384743
  [ 2 ] Bug #1416852 - CVE-2017-3731 openssl: Truncated packet could crash via 
OOB read
        https://bugzilla.redhat.com/show_bug.cgi?id=1416852
  [ 3 ] Bug #1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key 
recovery
        https://bugzilla.redhat.com/show_bug.cgi?id=1412120
--------------------------------------------------------------------------------
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[EPEL-devel] Fedora EPEL 5 updates-testing report

Reply via email to