Author: carnil Date: 2016-09-22 19:11:18 +0000 (Thu, 22 Sep 2016) New Revision: 44826
Modified: data/CVE/list Log: Add notes for openssl CVEs Modified: data/CVE/list =================================================================== --- data/CVE/list 2016-09-22 19:11:02 UTC (rev 44825) +++ data/CVE/list 2016-09-22 19:11:18 UTC (rev 44826) @@ -5754,16 +5754,12 @@ RESERVED CVE-2016-6308 RESERVED - - openssl <unfixed> (low) - [jessie] - openssl <not-affected> (Only affects 1.1) - [wheezy] - openssl <not-affected> (Only affects 1.1) + - openssl <not-affected> (Only affects 1.1) NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=48c054fec3506417b2598837b8062aae7114c200 NOTE: https://www.openssl.org/news/secadv/20160922.txt CVE-2016-6307 RESERVED - - openssl <unfixed> (low) - [jessie] - openssl <not-affected> (Only affects 1.1) - [wheezy] - openssl <not-affected> (Only affects 1.1) + - openssl <not-affected> (Only affects 1.1) NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=c1ef7c971d0bbf117c3c80f65b5875e2e7b024b1 NOTE: https://www.openssl.org/news/secadv/20160922.txt CVE-2016-6306 @@ -5771,26 +5767,30 @@ - openssl <unfixed> NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=ff553f837172ecb2b5c8eca257ec3c5619a4b299 NOTE: https://www.openssl.org/news/secadv/20160922.txt -CVE-2016-6305 + NOTE: Fixed in 1.0.2i, 1.0.1u +CVE-2016-6305 [SSL_peek() hang on empty record] RESERVED - - openssl <unfixed> - [jessie] - openssl <not-affected> (Only affects 1.1) - [wheezy] - openssl <not-affected> (Only affects 1.1) + - openssl <not-affected> (Only affects 1.1) NOTE: https://www.openssl.org/news/secadv/20160922.txt -CVE-2016-6304 + NOTE: Fixed in 1.1.0a +CVE-2016-6304 [OCSP Status Request extension unbounded memory growth] RESERVED + [experimental] - openssl 1.1.0a-1 - openssl <unfixed> NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.1.0a, 1.0.2i, 1.0.1u CVE-2016-6303 (Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c ...) [experimental] - openssl 1.1.0-1 - openssl <unfixed> NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=55d83bf7c10c7b205fffa23fa7c3977491e56c07 NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-6302 (The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before ...) [experimental] - openssl 1.1.0-1 - openssl <unfixed> NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=e97763c92c655dcf4af2860b3abd2bc4c8a267f9 NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-6301 [NTP server denial of service flaw] RESERVED - busybox <unfixed> (unimportant; bug #833442) @@ -19342,27 +19342,33 @@ - openssl <unfixed> NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=07bed46f332fce8c1d157689a2cdf915a982ae34 NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2181 (The Anti-Replay feature in the DTLS implementation in OpenSSL before ...) - openssl <unfixed> NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=1fb9fdc3027b27d8eb6a1e6a846435b070980770 NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2180 (The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 ...) - openssl <unfixed> NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=0ed26acce328ec16a3aa635f1ca37365e8c7403a NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2179 (The DTLS implementation in OpenSSL before 1.1.0 does not properly ...) - openssl <unfixed> NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=f5c7f5dfbaf0d2f7d946d0fe86f08e6bcb36ed0d NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2178 (The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL ...) - openssl <unfixed> (low) NOTE: Fixed in master branch in https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2 NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2177 (OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for ...) - openssl <unfixed> (low) NOTE: Fixed in 1.0.2 branch in https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7 NOTE: https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ NOTE: https://www.openssl.org/news/secadv/20160922.txt + NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2176 (The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL ...) - openssl <not-affected> (Only applies to EBCDIC systems) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ea96ad5a206b7b5f25dad230333e8ff032df3219 _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits