openssl: CVE-2016-0701, CVE-2015-3197

[tianon]

CVE-2016-0701, CVE-2015-3197

https://www.openssl.org/news/secadv/20160128.txt

CVE-2016-0701: https://www.openssl.org/news/vulnerabilities.html#2016-0701

• Fixed in OpenSSL 1.0.2f (Affected 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2015-3197: https://www.openssl.org/news/vulnerabilities.html#2015-3197

• Fixed in OpenSSL 1.0.1r (Affected 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2f (Affected 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

---

• alpine:
  • http://git.alpinelinux.org/cgit/aports/log/main/openssl
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-0701
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2015-3197
• busybox: nope nope nope
• centos (RHEL derivative):
  • https://access.redhat.com/security/cve/CVE-2016-0701
  • https://access.redhat.com/security/cve/CVE-2015-3197
• crux: ???
  • https://crux.nu/gitweb/?p=ports/core.git;a=history;f=openssl;hb=HEAD
• debian: only sid/stretch and squeeze affected
  • https://security-tracker.debian.org/tracker/CVE-2016-0701
  • https://security-tracker.debian.org/tracker/CVE-2015-3197
• fedora:
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0701
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3197
• mageia:
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-0701
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2015-3197
• opensuse:
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-0701
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-3197
• oraclelinux: (cc @Djelibeybi)
  • http://linux.oracle.com/cve/CVE-2016-0701.html
  • http://linux.oracle.com/cve/CVE-2015-3197.html
• sourcemage:
  • http://scmweb.sourcemage.org/?p=smgl/grimoire.git;a=history;f=crypto/openssl
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-0701
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2015-3197
• ubuntu: only wily/xenial, not embedded in image
  • http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0701.html
  • http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2015-3197.html

[Djelibeybi]

Oracle Linux is not affected by CVE-2016-0701 but is affected by CVE-2015-3197. Our security team is currently evaluating whether to release an update for this CVE given the low impact.

[tianon]

GitHub's email gateway appears to be struggling today: Cool, thanks for the update! It's looking like that's a pretty common result of this so far. 👍

[tianon]

Given the age and relative severity of this vulnerability and in light of #1448 getting a rebuild for most major bits anyhow, I'm going to close this and declare it generally either FIXED, PENDING, or WONTFIX (and thus really nothing more we can do here).