[openssl-commits] [web] master update

Matt Caswell matt at openssl.org
Fri Dec 4 14:36:20 UTC 2015 

The branch master has been updated
       via  fcace5ea8033431af48292d859b0c23157c5bd3c (commit)
      from  1a3906055598e138b7a565567e5ecf0457d0092a (commit)


- Log -----------------------------------------------------------------
commit fcace5ea8033431af48292d859b0c23157c5bd3c
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Dec 4 14:30:05 2015 +0000

    Updated security advisory added

-----------------------------------------------------------------------

Summary of changes:
 news/secadv/20151203.txt | 24 ++++++++++++++++++++++--
 news/vulnerabilities.xml | 17 +++++++++++++++++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/news/secadv/20151203.txt b/news/secadv/20151203.txt
index 44051a2..b1d0bb9 100644
--- a/news/secadv/20151203.txt
+++ b/news/secadv/20151203.txt
@@ -1,5 +1,9 @@
-OpenSSL Security Advisory [3 Dec 2015]
-=======================================
+OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015]
+=============================================================
+
+[Updated 4 Dec 2015]: This advisory has been updated to include the details of
+CVE-2015-1794, a Low severity issue affecting OpenSSL 1.0.2 which had a fix
+included in the released packages but was missed from the advisory text.
 
 NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
@@ -97,6 +101,22 @@ ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).
 
 The fix was developed by Dr. Stephen Henson of the OpenSSL development team.
 
+Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
+============================================================
+
+Severity: Low
+
+If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
+the value of p set to 0 then a seg fault can occur leading to a possible denial
+of service attack.
+
+This issue affects OpenSSL version 1.0.2.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2e
+
+This issue was reported to OpenSSL on August 3 2015 by Guy Leaver (Cisco). The
+fix was developed by Matt Caswell of the OpenSSL development team.
+
 Note
 ====
 
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index b2629d7..c8d7895 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -6,6 +6,23 @@
 -->
 
 <security updated="20151203">
+  <issue public="20150811">
+    <cve name="2015-1794"/>
+    <affects base="1.0.2" version="1.0.2"/>
+    <affects base="1.0.2" version="1.0.2a"/>
+    <affects base="1.0.2" version="1.0.2b"/>
+    <affects base="1.0.2" version="1.0.2c"/>
+    <affects base="1.0.2" version="1.0.2d"/>
+    <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
+
+    <description>
+      If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
+      the value of p set to 0 then a seg fault can occur leading to a possible denial
+      of service attack.
+    </description>
+    <advisory url="/news/secadv/20151203.txt"/>
+    <reported source="Guy Leaver (Cisco)"/>
+  </issue>
   <issue public="20151203">
     <cve name="2015-3193"/>
     <affects base="1.0.2" version="1.0.2"/>

More information about the openssl-commits mailing list