Vulnerabilities > CVE-2016-0704 - Information Exposure vulnerability in Openssl

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
high complexity
openssl
CWE-200
nessus

Summary

An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

Vulnerable Configurations

Part Description Count
Application
Openssl
148

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyWeb Servers
    NASL idOPENSSL_1_0_2A.NASL
    descriptionAccording to its banner, the remote web server uses a version of OpenSSL 1.0.2 prior to 1.0.2a. The OpenSSL library is, therefore, affected by the following vulnerabilities : - A flaw exists in the DTLSv1_listen() function due to state being preserved in the SSL object from one invocation to the next. A remote attacker can exploit this, via crafted DTLS traffic, to cause a segmentation fault, resulting in a denial of service. (CVE-2015-0207) - A flaw exists in the rsa_item_verify() function due to improper implementation of ASN.1 signature verification. A remote attacker can exploit this, via an ASN.1 signature using the RSA PSS algorithm and invalid parameters, to cause a NULL pointer dereference, resulting in a denial of service. (CVE-2015-0208) - A use-after-free condition exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference or free already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209) - A flaw exists in the ssl3_client_hello() function due to improper validation of a PRNG seed before proceeding with a handshake, resulting in insufficient entropy and predictable output. This allows a man-in-the-middle attacker to defeat cryptographic protection mechanisms via a brute-force attack, resulting in the disclosure of sensitive information. (CVE-2015-0285) - An invalid read flaw exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service. (CVE-2015-0286) - A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize
    last seen2020-06-01
    modified2020-06-02
    plugin id82033
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82033
    titleOpenSSL 1.0.2 < 1.0.2a Multiple Vulnerabilities
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-682.NASL
    descriptionA denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293) It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle. (CVE-2016-0703) It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle. (CVE-2016-0704) A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that have been disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks. (CVE-2015-3197)
    last seen2020-06-01
    modified2020-06-02
    plugin id90364
    published2016-04-07
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90364
    titleAmazon Linux AMI : openssl098e (ALAS-2016-682) (DROWN)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-0678-1.NASL
    descriptionOpenSSL was update to fix security issues and bugs : CVE-2016-0800 aka the
    last seen2020-06-01
    modified2020-06-02
    plugin id89731
    published2016-03-08
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89731
    titleSUSE SLES10 Security Update : OpenSSL (SUSE-SU-2016:0678-1) (DROWN)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-0641-1.NASL
    descriptionThis update for compat-openssl098 fixes various security issues and bugs : Security issues fixed : - CVE-2016-0800 aka the
    last seen2020-06-01
    modified2020-06-02
    plugin id89658
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89658
    titleSUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0641-1) (DROWN)
  • NASL familyWeb Servers
    NASL idOPENSSL_0_9_8ZF.NASL
    descriptionAccording to its banner, the remote web server uses a version of OpenSSL 0.9.8 prior to 0.9.8zf. The OpenSSL library is, therefore, affected by the following vulnerabilities : - A use-after-free condition exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference or free already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209) - An invalid read flaw exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service. (CVE-2015-0286) - A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize
    last seen2020-06-01
    modified2020-06-02
    plugin id82030
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82030
    titleOpenSSL 0.9.8 < 0.9.8zf Multiple Vulnerabilities
  • NASL familyFirewalls
    NASL idSCREENOS_JSA10759.NASL
    descriptionThe version of Juniper ScreenOS running on the remote host is 6.3.x prior to 6.3.0r23. It is, therefore, affected by multiple vulnerabilities in its bundled version of OpenSSL : - A flaw exists in the SSLv2 implementation, specifically in the get_client_master_key() function within file s2_srvr.c, due to accepting a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher. A man-in-the-middle attacker can exploit this to determine the MASTER-KEY value and decrypt TLS ciphertext by leveraging a Bleichenbacher RSA padding oracle. (CVE-2016-0703) - A flaw exists in the SSLv2 oracle protection mechanism, specifically in the get_client_master_key() function within file s2_srvr.c, due to incorrectly overwriting MASTER-KEY bytes during use of export cipher suites. A remote attackers can exploit this to more easily decrypt TLS ciphertext by leveraging a Bleichenbacher RSA padding oracle. (CVE-2016-0704) - A NULL pointer dereference flaw exists in the BN_hex2bn() and BN_dec2bn() functions. A remote attacker can exploit this to trigger a heap corruption, resulting in the execution of arbitrary code. (CVE-2016-0797) - A flaw exists that allows a cross-protocol Bleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). This vulnerability exists due to a flaw in the Secure Sockets Layer Version 2 (SSLv2) implementation, and it allows captured TLS traffic to be decrypted. A man-in-the-middle attacker can exploit this to decrypt the TSL connection by utilizing previously captured traffic and weak cryptography along with a series of specially crafted connections to an SSLv2 server that uses the same private key. (CVE-2016-0800) - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - A remote code execution vulnerability exists in the ASN.1 encoder due to an underflow condition that occurs when attempting to encode the value zero represented as a negative integer. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2016-2108) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id94679
    published2016-11-10
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94679
    titleJuniper ScreenOS 6.3.x < 6.3.0r23 Multiple Vulnerabilities in OpenSSL (JSA10759) (DROWN)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20160309_OPENSSL098E_ON_SL6_X.NASL
    descriptionA padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non- export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.(CVE-2016-0703) It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle. (CVE-2016-0704) Note: The CVE-2016-0703 and CVE-2016-0704 issues could allow for more efficient exploitation of the CVE-2016-0800 issue via the DROWN attack. A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293) A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that have been disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks. (CVE-2015-3197) For the update to take effect, all services linked to the openssl098e library must be restarted, or the system rebooted.
    last seen2020-03-18
    modified2016-03-10
    plugin id89825
    published2016-03-10
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89825
    titleScientific Linux Security Update : openssl098e on SL6.x, SL7.x i386/x86_64 (20160309) (DROWN)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0716.NASL
    descriptionUpdated openssl packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An invalid pointer use flaw was found in OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id82018
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82018
    titleRHEL 7 : openssl (RHSA-2015:0716)
  • NASL familyFirewalls
    NASL idPFSENSE_SA-16_02.NASL
    descriptionAccording to its self-reported version number, the remote pfSense install is prior to 2.3. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id106499
    published2018-01-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106499
    titlepfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-0620-1.NASL
    descriptionThis update for openssl fixes various security issues : Security issues fixed : - CVE-2016-0800 aka the
    last seen2020-06-01
    modified2020-06-02
    plugin id89077
    published2016-03-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89077
    titleSUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0620-1) (DROWN)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0716.NASL
    descriptionFrom Red Hat Security Advisory 2015:0716 : Updated openssl packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An invalid pointer use flaw was found in OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id82016
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82016
    titleOracle Linux 7 : openssl (ELSA-2015-0716)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-0372.NASL
    descriptionFrom Red Hat Security Advisory 2016:0372 : Updated openssl098e packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) Note: This issue was addressed by disabling the SSLv2 protocol by default when using the
    last seen2020-06-01
    modified2020-06-02
    plugin id89770
    published2016-03-09
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89770
    titleOracle Linux 6 / 7 : openssl098e (ELSA-2016-0372) (DROWN)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0800.NASL
    descriptionUpdated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. (CVE-2015-0204) An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input (such as a PEM file) could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded. (CVE-2015-0292) A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293) Multiple flaws were found in the way OpenSSL parsed X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a certificate with a different fingerprint without invalidating its signature, and possibly bypass fingerprint-based blacklisting in applications. (CVE-2014-8275) An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could possibly use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash. (CVE-2015-0287) A NULL pointer dereference flaw was found in OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id82758
    published2015-04-14
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82758
    titleRHEL 5 : openssl (RHSA-2015:0800) (FREAK)
  • NASL familyCGI abuses
    NASL idORACLE_ILOM_4_0_2_1.NASL
    descriptionAccording to its self-reported version number, the version of Oracle Integrated Lights Out Manager (ILOM) is affected by multiple vulnerabilities as described in the advisory.
    last seen2020-06-01
    modified2020-06-02
    plugin id107266
    published2018-03-09
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/107266
    titleOracle Integrated Lights Out Manager (ILOM) < 4.0.2.1 Multiple Vulnerabilities (uncredentialed check)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-0800.NASL
    descriptionUpdated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. (CVE-2015-0204) An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input (such as a PEM file) could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded. (CVE-2015-0292) A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293) Multiple flaws were found in the way OpenSSL parsed X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a certificate with a different fingerprint without invalidating its signature, and possibly bypass fingerprint-based blacklisting in applications. (CVE-2014-8275) An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could possibly use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash. (CVE-2015-0287) A NULL pointer dereference flaw was found in OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id82783
    published2015-04-15
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82783
    titleCentOS 5 : openssl (CESA-2015:0800) (FREAK)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-0631-1.NASL
    descriptionThis update for compat-openssl097g fixes the following issues : - CVE-2016-0800 aka the
    last seen2020-06-01
    modified2020-06-02
    plugin id89722
    published2016-03-07
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89722
    titleSUSE SLED11 Security Update : compat-openssl097g (SUSE-SU-2016:0631-1) (DROWN)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-0303.NASL
    descriptionUpdated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.2, 6.4, and 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) Note: This issue was addressed by disabling the SSLv2 protocol by default when using the
    last seen2020-06-01
    modified2020-06-02
    plugin id89069
    published2016-03-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89069
    titleRHEL 6 : openssl (RHSA-2016:0303) (DROWN)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-0617-1.NASL
    descriptionThis update for openssl fixes various security issues and bugs : Security issues fixed : - CVE-2016-0800 aka the
    last seen2020-06-01
    modified2020-06-02
    plugin id89076
    published2016-03-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89076
    titleSUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0617-1) (DROWN)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-327.NASL
    descriptionThis update for compat-openssl098 fixes various security issues and bugs : Security issues fixed : - CVE-2016-0800 aka the
    last seen2020-06-05
    modified2016-03-14
    plugin id89910
    published2016-03-14
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89910
    titleopenSUSE Security Update : openssl (openSUSE-2016-327) (DROWN)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-0372.NASL
    descriptionUpdated openssl098e packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) Note: This issue was addressed by disabling the SSLv2 protocol by default when using the
    last seen2020-06-01
    modified2020-06-02
    plugin id89762
    published2016-03-09
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89762
    titleCentOS 6 / 7 : openssl098e (CESA-2016:0372) (DROWN)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7B1A4A27600A11E6A6C314DAE9D210B8.NASL
    descriptionA cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. [CVE-2016-0800] A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. [CVE-2016-0705] The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. [CVE-2016-0798] In the BN_hex2bn function, the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL pointer dereference. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. [CVE-2016-0797] The internal |fmtstr| function used in processing a
    last seen2020-06-01
    modified2020-06-02
    plugin id92921
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92921
    titleFreeBSD : FreeBSD -- Multiple OpenSSL vulnerabilities (7b1a4a27-600a-11e6-a6c3-14dae9d210b8) (DROWN)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10759.NASL
    descriptionAccording to its self-reported version number, the remote Juniper Junos device is affected by the following vulnerabilities related to OpenSSL : - A flaw exists in the ssl3_get_key_exchange() function in file s3_clnt.c when handling a ServerKeyExchange message for an anonymous DH ciphersuite with the value of
    last seen2020-03-18
    modified2017-01-05
    plugin id96316
    published2017-01-05
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96316
    titleJuniper Junos Multiple OpenSSL Vulnerabilities (JSA10759) (SWEET32)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-0372.NASL
    descriptionUpdated openssl098e packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) Note: This issue was addressed by disabling the SSLv2 protocol by default when using the
    last seen2020-06-01
    modified2020-06-02
    plugin id89773
    published2016-03-09
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89773
    titleRHEL 6 / 7 : openssl098e (RHSA-2016:0372) (DROWN)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-289.NASL
    descriptionThis update for openssl fixes various security issues : Security issues fixed : - CVE-2016-0800 aka the
    last seen2020-06-05
    modified2016-03-03
    plugin id89091
    published2016-03-03
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89091
    titleopenSUSE Security Update : openssl (openSUSE-2016-289) (DROWN)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1546.NASL
    descriptionAccording to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.(CVE-2018-0495) - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.(CVE-2013-0166) - OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an
    last seen2020-06-01
    modified2020-06-02
    plugin id124999
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124999
    titleEulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1546)
  • NASL familyWeb Servers
    NASL idOPENSSL_1_0_1M.NASL
    descriptionAccording to its banner, the remote web server uses a version of OpenSSL 1.0.1 prior to 1.0.1m. The OpenSSL library is, therefore, affected by the following vulnerabilities : - A use-after-free condition exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference or free already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209) - An invalid read flaw exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service. (CVE-2015-0286) - A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize
    last seen2020-06-01
    modified2020-06-02
    plugin id82032
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82032
    titleOpenSSL 1.0.1 < 1.0.1m Multiple Vulnerabilities
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL95463126.NASL
    descriptionThe get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
    last seen2020-06-01
    modified2020-06-02
    plugin id89945
    published2016-03-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89945
    titleF5 Networks BIG-IP : OpenSSL vulnerabilities (SOL95463126) (DROWN)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201603-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201603-15 (OpenSSL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSL, the worst being a cross-protocol attack called DROWN that could lead to the decryption of TLS sessions. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could decrypt TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle, cause a Denial of Service condition, obtain sensitive information from memory and (in rare circumstances) recover RSA keys. Workaround : A workaround for DROWN is disabling the SSLv2 protocol on all SSL/TLS servers.
    last seen2020-06-01
    modified2020-06-02
    plugin id90053
    published2016-03-21
    reporterThis script is Copyright (C) 2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90053
    titleGLSA-201603-15 : OpenSSL: Multiple vulnerabilities (DROWN)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-0304.NASL
    descriptionUpdated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.6 and 5.9 Long Life. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) Note: This issue was addressed by disabling the SSLv2 protocol by default when using the
    last seen2020-06-01
    modified2020-06-02
    plugin id89070
    published2016-03-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89070
    titleRHEL 5 : openssl (RHSA-2016:0304) (DROWN)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-292.NASL
    descriptionThis update for openssl fixes various security issues : Security issues fixed : - CVE-2016-0800 aka the
    last seen2020-06-05
    modified2016-03-03
    plugin id89092
    published2016-03-03
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89092
    titleopenSUSE Security Update : openssl (openSUSE-2016-292) (DROWN)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-0624-1.NASL
    descriptionThis update for openssl fixes various security issues and bugs : Security issues fixed : - CVE-2016-0800 aka the
    last seen2020-06-01
    modified2020-06-02
    plugin id89655
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89655
    titleSUSE SLED11 / SLES11 Security Update : openssl (SUSE-SU-2016:0624-1) (DROWN)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0800.NASL
    descriptionFrom Red Hat Security Advisory 2015:0800 : Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. (CVE-2015-0204) An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input (such as a PEM file) could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded. (CVE-2015-0292) A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293) Multiple flaws were found in the way OpenSSL parsed X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a certificate with a different fingerprint without invalidating its signature, and possibly bypass fingerprint-based blacklisting in applications. (CVE-2014-8275) An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could possibly use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash. (CVE-2015-0287) A NULL pointer dereference flaw was found in OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id82757
    published2015-04-14
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82757
    titleOracle Linux 5 : openssl (ELSA-2015-0800) (FREAK)
  • NASL familyWeb Servers
    NASL idOPENSSL_1_0_0R.NASL
    descriptionAccording to its banner, the remote web server uses a version of OpenSSL 1.0.0 prior to 1.0.0r. The OpenSSL library is, therefore, affected by the following vulnerabilities : - A use-after-free condition exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference or free already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209) - An invalid read flaw exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service. (CVE-2015-0286) - A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize
    last seen2020-06-01
    modified2020-06-02
    plugin id82031
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82031
    titleOpenSSL 1.0.0 < 1.0.0r Multiple Vulnerabilities

Redhat

advisories
  • bugzilla
    id1202418
    titleCVE-2015-0288 openssl: X509_to_X509_REQ NULL pointer dereference
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentopenssl-perl is earlier than 0:1.0.1e-30.el6_6.7
            ovaloval:com.redhat.rhsa:tst:20150715001
          • commentopenssl-perl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929004
        • AND
          • commentopenssl-static is earlier than 0:1.0.1e-30.el6_6.7
            ovaloval:com.redhat.rhsa:tst:20150715003
          • commentopenssl-static is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929006
        • AND
          • commentopenssl-devel is earlier than 0:1.0.1e-30.el6_6.7
            ovaloval:com.redhat.rhsa:tst:20150715005
          • commentopenssl-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929002
        • AND
          • commentopenssl is earlier than 0:1.0.1e-30.el6_6.7
            ovaloval:com.redhat.rhsa:tst:20150715007
          • commentopenssl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929008
    rhsa
    idRHSA-2015:0715
    released2015-03-23
    severityModerate
    titleRHSA-2015:0715: openssl security update (Moderate)
  • bugzilla
    id1202418
    titleCVE-2015-0288 openssl: X509_to_X509_REQ NULL pointer dereference
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentopenssl-static is earlier than 1:1.0.1e-42.el7_1.4
            ovaloval:com.redhat.rhsa:tst:20150716001
          • commentopenssl-static is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929006
        • AND
          • commentopenssl-perl is earlier than 1:1.0.1e-42.el7_1.4
            ovaloval:com.redhat.rhsa:tst:20150716003
          • commentopenssl-perl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929004
        • AND
          • commentopenssl-devel is earlier than 1:1.0.1e-42.el7_1.4
            ovaloval:com.redhat.rhsa:tst:20150716005
          • commentopenssl-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929002
        • AND
          • commentopenssl-libs is earlier than 1:1.0.1e-42.el7_1.4
            ovaloval:com.redhat.rhsa:tst:20150716007
          • commentopenssl-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929010
        • AND
          • commentopenssl is earlier than 1:1.0.1e-42.el7_1.4
            ovaloval:com.redhat.rhsa:tst:20150716009
          • commentopenssl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929008
    rhsa
    idRHSA-2015:0716
    released2015-03-23
    severityModerate
    titleRHSA-2015:0716: openssl security and bug fix update (Moderate)
  • bugzilla
    id1202418
    titleCVE-2015-0288 openssl: X509_to_X509_REQ NULL pointer dereference
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentopenssl-devel is earlier than 0:0.9.8e-33.el5_11
            ovaloval:com.redhat.rhsa:tst:20150800001
          • commentopenssl-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070964002
        • AND
          • commentopenssl is earlier than 0:0.9.8e-33.el5_11
            ovaloval:com.redhat.rhsa:tst:20150800003
          • commentopenssl is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070964004
        • AND
          • commentopenssl-perl is earlier than 0:0.9.8e-33.el5_11
            ovaloval:com.redhat.rhsa:tst:20150800005
          • commentopenssl-perl is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070964006
    rhsa
    idRHSA-2015:0800
    released2015-04-13
    severityModerate
    titleRHSA-2015:0800: openssl security update (Moderate)
rpms
  • openssl-0:1.0.1e-30.el6_6.7
  • openssl-debuginfo-0:1.0.1e-30.el6_6.7
  • openssl-devel-0:1.0.1e-30.el6_6.7
  • openssl-perl-0:1.0.1e-30.el6_6.7
  • openssl-static-0:1.0.1e-30.el6_6.7
  • openssl-1:1.0.1e-42.ael7b_1.4
  • openssl-1:1.0.1e-42.el7_1.4
  • openssl-debuginfo-1:1.0.1e-42.ael7b_1.4
  • openssl-debuginfo-1:1.0.1e-42.el7_1.4
  • openssl-devel-1:1.0.1e-42.ael7b_1.4
  • openssl-devel-1:1.0.1e-42.el7_1.4
  • openssl-libs-1:1.0.1e-42.ael7b_1.4
  • openssl-libs-1:1.0.1e-42.el7_1.4
  • openssl-perl-1:1.0.1e-42.ael7b_1.4
  • openssl-perl-1:1.0.1e-42.el7_1.4
  • openssl-static-1:1.0.1e-42.ael7b_1.4
  • openssl-static-1:1.0.1e-42.el7_1.4
  • openssl-0:1.0.1e-30.el6_6.7
  • openssl-debuginfo-0:1.0.1e-30.el6_6.7
  • openssl-devel-0:1.0.1e-30.el6_6.7
  • openssl-perl-0:1.0.1e-30.el6_6.7
  • openssl-static-0:1.0.1e-30.el6_6.7
  • openssl-0:0.9.8e-33.el5_11
  • openssl-debuginfo-0:0.9.8e-33.el5_11
  • openssl-devel-0:0.9.8e-33.el5_11
  • openssl-perl-0:0.9.8e-33.el5_11
  • openssl-0:1.0.0-20.el6_2.8
  • openssl-0:1.0.0-27.el6_4.5
  • openssl-0:1.0.1e-16.el6_5.16
  • openssl-debuginfo-0:1.0.0-20.el6_2.8
  • openssl-debuginfo-0:1.0.0-27.el6_4.5
  • openssl-debuginfo-0:1.0.1e-16.el6_5.16
  • openssl-devel-0:1.0.0-20.el6_2.8
  • openssl-devel-0:1.0.0-27.el6_4.5
  • openssl-devel-0:1.0.1e-16.el6_5.16
  • openssl-perl-0:1.0.0-20.el6_2.8
  • openssl-perl-0:1.0.0-27.el6_4.5
  • openssl-perl-0:1.0.1e-16.el6_5.16
  • openssl-static-0:1.0.0-20.el6_2.8
  • openssl-static-0:1.0.0-27.el6_4.5
  • openssl-static-0:1.0.1e-16.el6_5.16
  • openssl-0:0.9.8e-12.el5_6.13
  • openssl-0:0.9.8e-26.el5_9.5
  • openssl-debuginfo-0:0.9.8e-12.el5_6.13
  • openssl-debuginfo-0:0.9.8e-26.el5_9.5
  • openssl-devel-0:0.9.8e-12.el5_6.13
  • openssl-devel-0:0.9.8e-26.el5_9.5
  • openssl-perl-0:0.9.8e-12.el5_6.13
  • openssl-perl-0:0.9.8e-26.el5_9.5
  • openssl-0:0.9.7a-43.23.el4
  • openssl-debuginfo-0:0.9.7a-43.23.el4
  • openssl-devel-0:0.9.7a-43.23.el4
  • openssl-perl-0:0.9.7a-43.23.el4
  • openssl098e-0:0.9.8e-20.el6_7.1
  • openssl098e-0:0.9.8e-29.el7_2.3
  • openssl098e-debuginfo-0:0.9.8e-20.el6_7.1
  • openssl098e-debuginfo-0:0.9.8e-29.el7_2.3

References