MGASA-2017-0042

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2017-0042.html

Import Source

https://advisories.mageia.org/MGASA-2017-0042.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2017-0042

Related

Published

2017-02-05T20:42:41Z

Modified

2017-02-05T20:32:43Z

Summary

Updated openssl packages fix security vulnerability

Details

There is a carry propagation bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. mong EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation (CVE-2016-7055).

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. The crash can be triggered when using RC4-MD5, if it has not been disabled (CVE-2017-3731).

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker would need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients (CVE-2017-3732).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / openssl

Package

Name: openssl
Purl: pkg:rpm/mageia/openssl?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.2k-1.mga5

Ecosystem specific

{
    "section": "core"
}