FreeBSD: OpenSSL -- multiple vulnerabilities (FreeBSD-SA-15:06.openssl) (Multiple CVEs)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | January 08, 2015 | March 20, 2015 | February 21, 2017 |
Description
Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
- APPLE-APPLE-SA-2015-04-08-2
- APPLE-APPLE-SA-2015-06-30-2
- APPLE-APPLE-SA-2015-09-16-1
- APPLE-APPLE-SA-2015-09-30-3
- BID-73225
- BID-73228
- BID-73237
- BID-91787
- CVE-2015-0204
- CVE-2015-0209
- CVE-2015-0286
- CVE-2015-0287
- CVE-2015-0288
- CVE-2015-0289
- CVE-2015-0292
- CVE-2015-0293
- DEBIAN-DSA-3125
- DEBIAN-DSA-3197
- DISA_SEVERITY-Category I
- DISA_VMSKEY-V0060997
- DISA_VMSKEY-V0061081
- DISA_VMSKEY-V0061123
- DISA_VMSKEY-V0061359
- DISA_VMSKEY-V0061471
- IAVM-2015-A-0135
- IAVM-2015-A-0154
- IAVM-2015-A-0160
- IAVM-2015-A-0222
- IAVM-2015-B-0106
- REDHAT-RHSA-2015:0066
- REDHAT-RHSA-2015:0715
- REDHAT-RHSA-2015:0716
- REDHAT-RHSA-2015:0752
- REDHAT-RHSA-2015:0800
- REDHAT-RHSA-2015:0849
- URL: https://www.openssl.org/news/secadv_20150319.txt
Solution
freebsd-upgrade-base-10_1-release-p8Related Vulnerabilities
- Gentoo Linux: CVE-2015-7183: Mozilla Products: Multiple vulnerabilities
- Ubuntu: (Multiple Advisories) (CVE-2016-3606): OpenJDK 6 vulnerabilities
- Java CPU July 2016 Java SE, Java SE Embedded Libraries vulnerability (CVE-2016-3598)
- Red Hat: CVE-2016-2108: Important: openssl security update ((Multiple Advisories))
- HP-UX: CVE-2015-1793: OpenSSL Vulnerability (Alternative Chain Certificate Forgery)
- Ubuntu: USN-2959-1 (CVE-2016-2105): OpenSSL vulnerabilities
- Oracle Linux: (CVE-2016-3587) ELSA-2016-1458: java-1.8.0-openjdk security update
- Red Hat: CVE-2016-3521: Important: mariadb security update (RHSA-2016:1602)
- CentOS: (CVE-2016-3521) CESA-2016:1602: mariadb
- SUSE: CVE-2016-1978: SUSE Linux Security Advisory
- OS X update for Admin Framework (CVE-2015-4000)
- Amazon Linux AMI: CVE-2016-5440: Security patch for mysql55 ((Multiple Advisories))
- MFSA2015-70 SeaMonkey: NSS accepts export-length DHE keys with regular DHE cipher suites (CVE-2015-4000)
- Ubuntu: USN-2883-1 (CVE-2016-0701): OpenSSL vulnerability
- OS X update for apache (CVE-2015-1790)
- F5 Networks: K16864 (CVE-2015-2808): SSL/TLS RC4 vulnerability CVE-2015-2808
- Cent OS: CVE-2015-0292: CESA-2015:0800 (openssl)
- Palo Alto Networks (Multiple Advisories) (CVE-2015-1792): OpenSSL Vulnerabilities
- HP-UX: CVE-2015-0209: Potential security vulnerabilities have been identified with HP-UX running OpenSSL. These vulnerabilities could be exploited remotely to create a remote Denial of Service (DoS) and other vulnerabilites.
- Gentoo Linux: CVE-2015-3237: cURL: Multiple vulnerabilities
- SUSE: CVE-2015-5600: SUSE Linux Security Advisory
- Gentoo Linux: CVE-2016-1978: Mozilla Products: Multiple vulnerabilities
- HP Systems Insight Manager - HPSBMU03394 (CVE-2015-1791): Linux and Windows, Multiple Vulnerabilities
- CentOS: (CVE-2016-0800) (Multiple Advisories): openssl098e
- SUSE: CVE-2016-3458: SUSE Linux Security Advisory
- F5 Networks: K25075696 (CVE-2016-3500): Oracle Java vulnerability CVE-2016-3500
- Oracle Solaris 11: CVE-2015-0293: Vulnerability in OpenSSL
- Alpine Linux: CVE-2016-2106: openssl Multiple vulnerabilities
- OpenSSL Memory corruption in the ASN.1 encoder (CVE-2016-2108)
- Java CPU July 2016 Java SE, Java SE Embedded Hotspot vulnerability (CVE-2016-3550)
- SUSE: CVE-2016-3501: SUSE Linux Security Advisory
- RHSA-2016:0372: openssl098e security update
- Oracle Solaris 11: CVE-2015-3236: Vulnerability in libcurl
- Amazon Linux AMI: CVE-2016-3459: Security patch for mysql56 (ALAS-2016-737)
- F5 Networks: K31026324 (CVE-2015-8104): Linux kernel vulnerabilities CVE-2015-2925, CVE-2015-5307, and CVE-2015-8104
- IBM AIX: java_april2015_advisory, rc4_advisory (CVE-2015-2808): Vulnerability in IBM Java SDK affects AIX
- Debian: CVE-2016-0797: openssl -- security update
- ELSA-2015-1664 Moderate: Oracle Linux nss security, bug fix, and enhancement update
- Oracle Solaris 11: CVE-2015-1788: Vulnerability in OpenSSL
- ELSA-2015-3107 Important: Oracle Linux Unbreakable Enterprise kernel security update
- Debian: CVE-2015-7182: nss -- security update
- Huawei EulerOS: CVE-2016-4052: squid security update
- Huawei EulerOS: CVE-2016-3521: mariadb security update
- CentOS: (CVE-2016-3606) (Multiple Advisories): java-1.6.0-openjdk
- FreeBSD: FreeBSD -- Multiple OpenSSL vulnerabilities (FreeBSD-SA-16:12.openssl) (Multiple CVEs)
- Amazon Linux AMI: CVE-2016-0797: Security patch for openssl (ALAS-2016-661)
- Huawei EulerOS: CVE-2016-3610: java-1.7.0-openjdk security update
- MFSA2015-133 Firefox: NSS and NSPR memory corruption issues (CVE-2015-7182)
- Cent OS: CVE-2015-0286: CESA-2015:0716 (openssl)
- Gentoo Linux: CVE-2015-0204: OpenSSL: Multiple vulnerabilities
- FreeBSD: node -- multiple vulnerabilities (Multiple CVEs)
- Apache HTTPD: mod_lua: Crash in websockets PING handling (CVE-2015-0228)
- Oracle Linux: (CVE-2016-2109) (Multiple Advisories): openssl security update
- Debian: DSA-3566 (CVE-2016-2176): openssl -- security update
- Debian: CVE-2016-3598: openjdk-7, openjdk-8 -- security update
- Oracle Solaris 11: CVE-2016-5444: Vulnerability in MySQL
- Ubuntu: USN-3040-1 (CVE-2016-5437): MySQL vulnerabilities
- Amazon Linux AMI: CVE-2016-4051: Security patch for squid ((Multiple Advisories))
- Amazon Linux AMI: CVE-2016-4052: Security patch for squid (ALAS-2016-713)
- FreeBSD: openssl -- multiple vulnerabilities (FreeBSD-SA-15:26.openssl) (Multiple CVEs)
- FreeBSD: apache22 -- chunk header parsing defect (CVE-2015-3183)
- Ubuntu: USN-2830-1 (CVE-2015-3193): OpenSSL vulnerabilities
- Ubuntu: USN-2959-1 (CVE-2016-2106): OpenSSL vulnerabilities
- HP-UX: CVE-2015-1790: OpenSSL Vulnerability (PKCS7 crash with missing EnvelopedContent)
- OpenSSL Base64 decode (CVE-2015-0292)
- RHSA-2016:0304: openssl security update
- Amazon Linux AMI: CVE-2016-3458: Security patch for java-1.6.0-openjdk ((Multiple Advisories))
- Oracle Linux: (CVE-2016-3550) (Multiple Advisories): java-1.6.0-openjdk security update
- Ubuntu: (Multiple Advisories) (CVE-2015-7181): Thunderbird vulnerabilities
- Gentoo Linux: CVE-2016-0799: OpenSSL: Multiple vulnerabilities
- SUSE: CVE-2016-3511: SUSE Linux Security Advisory
- Cisco SAN-OS: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products (CVE-2016-0701)
- Oracle Solaris 11: CVE-2015-7183: Vulnerability in Firefox, Thunderbird
- SUSE: CVE-2015-0228: SUSE Linux Security Advisory
- OS X update for OpenSSL (CVE-2015-0289)
- IBM AIX: openssl_advisory13 (CVE-2015-0288): Vulnerabilities in OpenSSL affects AIX
- SUSE: CVE-2015-7182: SUSE Linux Security Advisory
- ELSA-2016-0008 Moderate: Oracle Linux openssl security update
- Cisco ASA: CVE-2015-3194: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products December 2015 (cisco-sa-20151204-openssl)
- IBM AIX: openssl_advisory13 (CVE-2015-0287): Vulnerabilities in OpenSSL affects AIX
- HP-UX: CVE-2015-1791: OpenSSL Vulnerability (Race condition handling NewSessionTicket)
- IBM AIX: openssl_advisory20 (CVE-2016-2108): Vulnerabilities in OpenSSL affects AIX
- Gentoo Linux: CVE-2016-3598: Oracle JRE/JDK: Multiple vulnerabilities
- Oracle Solaris 11: CVE-2016-5469: Vulnerability in Kernel
- Gentoo Linux: CVE-2015-0292: OpenSSL: Multiple vulnerabilities
- OpenSSL Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
- Apache Struts: CVE-2016-1182: XSS and denial of service
- F5 Networks: K16915 (CVE-2015-1792): OpenSSL vulnerability CVE-2015-1792
- SUSE: CVE-2016-0799: SUSE Linux Security Advisory
- Huawei EulerOS: CVE-2016-3452: mariadb security update
- RHSA-2015:0800: openssl security update
- Oracle Linux: (CVE-2016-3615) ELSA-2016-1602: mariadb security update
- Juniper Junos OS: 2015-05 Out of Cycle Security Bulletin: "Logjam" passive attack on sub-1024 DH groups, and active downgrade attack of TLS to DHE_EXPORT (JSA10681) (CVE-2015-4000)
- Red Hat: CVE-2016-2105: Important: openssl security update ((Multiple Advisories))
- F5 Networks: K16124 (CVE-2015-0206): OpenSSL vulnerability CVE-2015-0206
- Red Hat: CVE-2016-5440: Important: mariadb security update (RHSA-2016:1602)
- CentOS: (CVE-2016-4053) (Multiple Advisories): squid34
- Alpine Linux: CVE-2016-2105: openssl Multiple vulnerabilities
- OpenSSL PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
- MFSA2015-150 Thunderbird: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature (CVE-2015-7575)