Vulnerabilities > CVE-2019-1549 - Use of Insufficiently Random Values vulnerability in Openssl

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
openssl
CWE-330
nessus

Summary

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).

Vulnerable Configurations

Part Description Count
Application
Openssl
14

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Brute Force
    In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4376-1.NASL
    descriptionCesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. (CVE-2019-1547) Matt Caswell discovered that OpenSSL incorrectly handled the random number generator (RNG). This may result in applications that use the fork() system call sharing the same RNG state between the parent and the child, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-1549) Guido Vranken discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure. While unlikely, a remote attacker could possibly use this issue to recover private keys. (CVE-2019-1551) Bernd Edlinger discovered that OpenSSL incorrectly handled certain decryption functions. In certain scenarios, a remote attacker could possibly use this issue to perform a padding oracle attack and decrypt traffic. (CVE-2019-1563). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-06
    modified2020-05-29
    plugin id136967
    published2020-05-29
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136967
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.10 : openssl vulnerabilities (USN-4376-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4376-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136967);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/05");
    
      script_cve_id("CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1551", "CVE-2019-1563");
      script_xref(name:"USN", value:"4376-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : openssl vulnerabilities (USN-4376-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Cesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri, Iaroslav
    Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that
    OpenSSL incorrectly handled ECDSA signatures. An attacker could
    possibly use this issue to perform a timing side-channel attack and
    recover private ECDSA keys. (CVE-2019-1547)
    
    Matt Caswell discovered that OpenSSL incorrectly handled the random
    number generator (RNG). This may result in applications that use the
    fork() system call sharing the same RNG state between the parent and
    the child, contrary to expectations. This issue only affected Ubuntu
    18.04 LTS and Ubuntu 19.10. (CVE-2019-1549)
    
    Guido Vranken discovered that OpenSSL incorrectly performed the x86_64
    Montgomery squaring procedure. While unlikely, a remote attacker could
    possibly use this issue to recover private keys. (CVE-2019-1551)
    
    Bernd Edlinger discovered that OpenSSL incorrectly handled certain
    decryption functions. In certain scenarios, a remote attacker could
    possibly use this issue to perform a padding oracle attack and decrypt
    traffic. (CVE-2019-1563).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4376-1/"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected libssl1.0.0 and / or libssl1.1 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libssl1.0.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libssl1.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/29");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"libssl1.0.0", pkgver:"1.0.2g-1ubuntu4.16")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"libssl1.1", pkgver:"1.1.1-1ubuntu2.1~18.04.6")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"libssl1.1", pkgver:"1.1.1c-1ubuntu4.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssl1.0.0 / libssl1.1");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-D51641F152.NASL
    descriptionMinor update release 1.1.1d with low impact security fixes. ---- Fix for TLS non-compliance causing server interoperability problems with golang TLS client. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129513
    published2019-10-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129513
    titleFedora 29 : 1:openssl (2019-d51641f152)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4539.NASL
    descriptionThree security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default.
    last seen2020-06-01
    modified2020-06-02
    plugin id129506
    published2019-10-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129506
    titleDebian DSA-4539-1 : openssl - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-D15AAC6C4E.NASL
    descriptionMinor update release 1.1.1d with low impact security fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129327
    published2019-09-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129327
    titleFedora 30 : 1:openssl (2019-d15aac6c4e)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1337.NASL
    descriptionThe remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1337 advisory. - httpd: memory corruption on early pushes (CVE-2019-10081) - httpd: read-after-free in h2 connection shutdown (CVE-2019-10082) - httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092) - httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097) - httpd: mod_rewrite potential open redirect (CVE-2019-10098) - openssl: side-channel weak encryption vulnerability (CVE-2019-1547) - openssl: information disclosure in fork() (CVE-2019-1549) - openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-23
    modified2020-04-06
    plugin id135235
    published2020-04-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135235
    titleRHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP2 (RHSA-2020:1337)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2097.NASL
    descriptionAccording to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. (CVE-2019-1547) - In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt.(CVE-2019-1563) - OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all.(CVE-2019-1549) - OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be
    last seen2020-05-03
    modified2019-11-12
    plugin id130806
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130806
    titleEulerOS 2.0 SP8 : openssl (EulerOS-SA-2019-2097)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0099-1.NASL
    descriptionThis update for openssl-1_1 fixes the following issues : Security issue fixed : CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). CVE-2019-1563: Fixed bleichenbacher attack against cms/pkcs7 encryptioon transported key (bsc#1150250). CVE-2019-1551: Fixed integer overflow in RSAZ modular exponentiation on x86_64 (bsc#1158809). CVE-2019-1549: Fixed fork problem with random generator (bsc#1150247). CVE-2019-1547: Fixed EC_GROUP_set_generator side channel attack avoidance (bsc#1150003). Bug fixes : Ship the openssl 1.1.1 binary as openssl-1_1, and make it installable in parallel with the system openssl (bsc#1140277). Update to 1.1.1d (bsc#1133925, jsc#SLE-6430). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-09
    modified2020-01-15
    plugin id132926
    published2020-01-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132926
    titleSUSE SLED12 / SLES12 Security Update : openssl-1_1 (SUSE-SU-2020:0099-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_9E0C6F7AD46D11E9A1C7B499BAEBFEAF.NASL
    descriptionThe OpenSSL project reports : ECDSA remote timing attack (CVE-2019-1547) [Low] Fork Protection (CVE-2019-1549) [Low] (OpenSSL 1.1.1 only)
    last seen2020-06-01
    modified2020-06-02
    plugin id128746
    published2019-09-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128746
    titleFreeBSD : OpenSSL -- Multiple vulnerabilities (9e0c6f7a-d46d-11e9-a1c7-b499baebfeaf)
  • NASL familyWeb Servers
    NASL idOPENSSL_1_1_1D.NASL
    descriptionThe version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by the following vulnerabilities : - Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. (CVE-2019-1547) - OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. OpenSSL version 1.1.1 is affected by this issue. (CVE-2019-1549) - OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be
    last seen2020-05-09
    modified2019-08-23
    plugin id128116
    published2019-08-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128116
    titleOpenSSL 1.1.1 < 1.1.1d Multiple Vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1063.NASL
    descriptionAccording to the versions of the openssl packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).(CVE-2019-1563) - OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).(CVE-2019-1549) - Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).(CVE-2019-1547) - OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be
    last seen2020-05-09
    modified2020-01-13
    plugin id132817
    published2020-01-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132817
    titleEulerOS Virtualization for ARM 64 3.0.5.0 : openssl (EulerOS-SA-2020-1063)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-3_0-0033_NXTGN.NASL
    descriptionAn update of the nxtgn package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id130110
    published2019-10-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130110
    titlePhoton OS 3.0: Nxtgn PHSA-2019-3.0-0033
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-9AB7EE6309.NASL
    descriptionMinor update release 1.1.1d with low impact security fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129635
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129635
    titleFedora 31 : 1:openssl (2019-9ab7ee6309)

Redhat

rpms
  • jbcs-httpd24-apr-0:1.6.3-86.jbcs.el6
  • jbcs-httpd24-apr-0:1.6.3-86.jbcs.el7
  • jbcs-httpd24-apr-debuginfo-0:1.6.3-86.jbcs.el6
  • jbcs-httpd24-apr-debuginfo-0:1.6.3-86.jbcs.el7
  • jbcs-httpd24-apr-devel-0:1.6.3-86.jbcs.el6
  • jbcs-httpd24-apr-devel-0:1.6.3-86.jbcs.el7
  • jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el6
  • jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el7
  • jbcs-httpd24-brotli-debuginfo-0:1.0.6-21.jbcs.el6
  • jbcs-httpd24-brotli-debuginfo-0:1.0.6-21.jbcs.el7
  • jbcs-httpd24-brotli-devel-0:1.0.6-21.jbcs.el6
  • jbcs-httpd24-brotli-devel-0:1.0.6-21.jbcs.el7
  • jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el6
  • jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el7
  • jbcs-httpd24-httpd-debuginfo-0:2.4.37-52.jbcs.el6
  • jbcs-httpd24-httpd-debuginfo-0:2.4.37-52.jbcs.el7
  • jbcs-httpd24-httpd-devel-0:2.4.37-52.jbcs.el6
  • jbcs-httpd24-httpd-devel-0:2.4.37-52.jbcs.el7
  • jbcs-httpd24-httpd-manual-0:2.4.37-52.jbcs.el6
  • jbcs-httpd24-httpd-manual-0:2.4.37-52.jbcs.el7
  • jbcs-httpd24-httpd-selinux-0:2.4.37-52.jbcs.el6
  • jbcs-httpd24-httpd-selinux-0:2.4.37-52.jbcs.el7
  • jbcs-httpd24-httpd-tools-0:2.4.37-52.jbcs.el6
  • jbcs-httpd24-httpd-tools-0:2.4.37-52.jbcs.el7
  • jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el6
  • jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el7
  • jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-41.Final_redhat_2.jbcs.el6
  • jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-41.Final_redhat_2.jbcs.el7
  • jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el6
  • jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el7
  • jbcs-httpd24-mod_http2-debuginfo-0:1.11.3-22.jbcs.el6
  • jbcs-httpd24-mod_http2-debuginfo-0:1.11.3-22.jbcs.el7
  • jbcs-httpd24-mod_ldap-0:2.4.37-52.jbcs.el6
  • jbcs-httpd24-mod_ldap-0:2.4.37-52.jbcs.el7
  • jbcs-httpd24-mod_proxy_html-1:2.4.37-52.jbcs.el6
  • jbcs-httpd24-mod_proxy_html-1:2.4.37-52.jbcs.el7
  • jbcs-httpd24-mod_session-0:2.4.37-52.jbcs.el6
  • jbcs-httpd24-mod_session-0:2.4.37-52.jbcs.el7
  • jbcs-httpd24-mod_ssl-1:2.4.37-52.jbcs.el6
  • jbcs-httpd24-mod_ssl-1:2.4.37-52.jbcs.el7
  • jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el6
  • jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el7
  • jbcs-httpd24-openssl-debuginfo-1:1.1.1c-16.jbcs.el6
  • jbcs-httpd24-openssl-debuginfo-1:1.1.1c-16.jbcs.el7
  • jbcs-httpd24-openssl-devel-1:1.1.1c-16.jbcs.el6
  • jbcs-httpd24-openssl-devel-1:1.1.1c-16.jbcs.el7
  • jbcs-httpd24-openssl-libs-1:1.1.1c-16.jbcs.el6
  • jbcs-httpd24-openssl-libs-1:1.1.1c-16.jbcs.el7
  • jbcs-httpd24-openssl-perl-1:1.1.1c-16.jbcs.el6
  • jbcs-httpd24-openssl-perl-1:1.1.1c-16.jbcs.el7
  • jbcs-httpd24-openssl-static-1:1.1.1c-16.jbcs.el6
  • jbcs-httpd24-openssl-static-1:1.1.1c-16.jbcs.el7
  • openssl-1:1.1.1c-15.el8
  • openssl-debuginfo-1:1.1.1c-15.el8
  • openssl-debugsource-1:1.1.1c-15.el8
  • openssl-devel-1:1.1.1c-15.el8
  • openssl-libs-1:1.1.1c-15.el8
  • openssl-libs-debuginfo-1:1.1.1c-15.el8
  • openssl-perl-1:1.1.1c-15.el8

References