Bug 976943 – VUL-1: openssl: Fix buffer overrun in ASN1_parse()

Bug 976943 - VUL-1: openssl: Fix buffer overrun in ASN1_parse()


Summary:	VUL-1: openssl: Fix buffer overrun in ASN1_parse()

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:62680 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-04-23 16:03 UTC by Marcus Meissner
Modified:	2019-08-30 06:39 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-04-23 16:03:10 UTC

openssl git

oepnssl team has not assigned a CVE, considers it not troublesome. 

1.0.1 branch:

commit 697283ba418b21c4c0682d7050264b492e2ea4e2
Author: Viktor Dukhovni <openssl-users@dukhovni.org>
Date:   Tue Apr 19 22:23:24 2016 -0400

    Fix buffer overrun in ASN1_parse().
    
    Backport of commits:
    
            79c7f74d6cefd5d32fa20e69195ad3de834ce065
        bdcd660e33710079b495cf5cc6a1aaa5d2dcd317
    
    from master.
    
    Reviewed-by: Matt Caswell <matt@openssl.org>

Comment 1 Swamp Workflow Management 2016-04-23 22:00:24 UTC

bugbot adjusting priority

Comment 11 Swamp Workflow Management 2016-05-03 08:03:37 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-05-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62679

Comment 12 Bernhard Wiedemann 2016-05-03 15:00:21 UTC

This is an autogenerated message for OBS integration:
This bug (976943) was mentioned in
https://build.opensuse.org/request/show/393430 13.2+42.1 / openssl

Comment 13 Bernhard Wiedemann 2016-05-03 18:00:21 UTC

This is an autogenerated message for OBS integration:
This bug (976943) was mentioned in
https://build.opensuse.org/request/show/393469 13.2+42.1 / libopenssl0_9_8

Comment 15 Swamp Workflow Management 2016-05-03 20:08:56 UTC

SUSE-SU-2016:1206-1: An update that solves 5 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 889013,971354,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssl1-1.0.1g-0.47.1

Comment 16 Swamp Workflow Management 2016-05-04 14:14:46 UTC

SUSE-SU-2016:1228-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    openssl-1.0.1i-27.16.1
SUSE Linux Enterprise Server 12 (src):    openssl-1.0.1i-27.16.1
SUSE Linux Enterprise Desktop 12 (src):    openssl-1.0.1i-27.16.1

Comment 17 Swamp Workflow Management 2016-05-04 16:08:37 UTC

SUSE-SU-2016:1231-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 976942,976943,977615,977617
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server for SAP 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.44.1
SUSE Linux Enterprise Server for SAP 11-SP3 (src):    compat-openssl097g-0.9.7g-146.22.44.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.44.1

Comment 18 Swamp Workflow Management 2016-05-04 16:10:15 UTC

SUSE-SU-2016:1233-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    openssl-1.0.1i-47.1
SUSE Linux Enterprise Server 12-SP1 (src):    openssl-1.0.1i-47.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    openssl-1.0.1i-47.1

Comment 19 Swamp Workflow Management 2016-05-05 11:07:52 UTC

openSUSE-SU-2016:1237-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 976942,976943,977614,977615,977616,977617
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Evergreen 11.4 (src):    openssl-1.0.1p-74.1

Comment 20 Swamp Workflow Management 2016-05-05 11:08:57 UTC

openSUSE-SU-2016:1238-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.36.1

Comment 21 Swamp Workflow Management 2016-05-05 11:10:50 UTC

openSUSE-SU-2016:1239-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Evergreen 11.4 (src):    libopenssl0_9_8-0.9.8zh-14.1

Comment 22 Swamp Workflow Management 2016-05-05 11:11:34 UTC

openSUSE-SU-2016:1240-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 976942,976943,977614,977615,977616,977617
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.1 (src):    openssl-1.0.1k-11.87.1

Comment 23 Swamp Workflow Management 2016-05-05 11:13:12 UTC

openSUSE-SU-2016:1241-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.1 (src):    libopenssl0_9_8-0.9.8zh-5.3.1

Comment 24 Swamp Workflow Management 2016-05-05 16:08:23 UTC

openSUSE-SU-2016:1242-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    libopenssl0_9_8-0.9.8zh-17.1
openSUSE 13.2 (src):    libopenssl0_9_8-0.9.8zh-9.6.1

Comment 25 Swamp Workflow Management 2016-05-05 16:09:16 UTC

openSUSE-SU-2016:1243-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    openssl-1.0.1i-15.1

Comment 26 Swamp Workflow Management 2016-05-09 10:08:40 UTC

SUSE-SU-2016:1267-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Desktop 12 (src):    compat-openssl098-0.9.8j-97.1

Comment 27 Swamp Workflow Management 2016-05-10 22:08:19 UTC

openSUSE-SU-2016:1273-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    compat-openssl098-0.9.8j-12.2

Comment 28 Bernhard Wiedemann 2016-05-11 10:00:27 UTC

This is an autogenerated message for OBS integration:
This bug (976943) was mentioned in
https://build.opensuse.org/request/show/394817 42.2 / openssl

Comment 29 Swamp Workflow Management 2016-05-12 18:08:41 UTC

SUSE-SU-2016:1290-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.97.1
SUSE OpenStack Cloud 5 (src):    openssl-0.9.8j-0.97.1
SUSE Manager Proxy 2.1 (src):    openssl-0.9.8j-0.97.1
SUSE Manager 2.1 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    openssl-0.9.8j-0.97.1

Comment 30 Marcus Meissner 2016-05-19 13:50:56 UTC

released

Comment 31 Swamp Workflow Management 2016-05-19 17:10:30 UTC

SUSE-SU-2016:1360-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 968050,973223,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.96.1