Bugzilla – Bug 901277
VUL-0: CVE-2014-3513, CVE-2014-3567: openssl: DTLS mem leak and session ticket mem leak
Last modified: 2022-02-16 21:16:01 UTC
This is privately reported: OpenSSL Security Advisory [15 Oct 2014] ======================================= SRTP Memory Leak (CVE-2014-3513) ================================ Severity: High A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory, causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. OpenSSL 1.0.1 users should upgrade to 1.0.1j. This issue was reported to OpenSSL on 26th September 2014, based on an original issue and patch developed by the LibreSSL project. Further analysis of the issue was performed by the OpenSSL team. The fix was developed by the OpenSSL team. Session Ticket Memory Leak (CVE-2014-3567) ========================================== Severity: Medium When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL on 8th October 2014. The fix was developed by Stephen Henson of the OpenSSL core team.
Just went public, so we can go ahead and fix it alltogether.
https://www.openssl.org/news/secadv_20141015.txt
To summarize the information, we have 4 issues: CVE-2014-3513 - SRTP memory leak - affects only openSUSE distributions and SLE-12 CVE-2014-3566 - the SSL 3.0 protocol vulnerability - everything is affected CVE-2014-3567 - Session Ticket Memory Leak - everything is affected CVE-2014-3568 - incomplete no-sslv3 option - everything is affected
This is an autogenerated message for OBS integration: This bug (901277) was mentioned in https://build.opensuse.org/request/show/256899 13.1+12.3 / openssl
Can we be provided with an ETA for a Patches to this issue?? thanks Boyd
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-10-28. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59461
╔════════════╦═════════╦══════════╦═══════════════════╗ ║ Affected ║ openssl ║ openssl1 ║ compat-openssl098 ║ ╠════════════╬═════════╬══════════╬═══════════════════╣ ║ SLE-10-SP3 ║ 6,7,8 ║ - ║ - ║ ║ SLE-11-SP1 ║ 6,7,8 ║ - ║ - ║ ║ SLE-11-SP3 ║ 6,7,8 ║ 3,6,7,8 ║ - ║ ║ SLE-12 ║ 3,6,7,8 ║ - ║ 6,7,8 ║ ╚════════════╩═════════╩══════════╩═══════════════════╝ "3,6,7,8" means CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568 respectively. "-" means not affected / package not there. Then there's something called compat-openssl097g. According to "isc maintained" it's in SLE-10-SP3 and SLE-11-SP1. However, it hasn't received any updates since 2012. Is it still maintained? Does anyone know? For openSUSE, only Factory is waiting for the fixes.
openssl 0.9.8a in SLE-10 doesn't support RFC 4507 (SessionTicket TLS Extension), so it's not affected by CVE-2014-3567. Here's the updated table: ╔════════════╦═════════╦══════════╦═══════════════════╗ ║ Affected ║ openssl ║ openssl1 ║ compat-openssl098 ║ ╠════════════╬═════════╬══════════╬═══════════════════╣ ║ SLE-10-SP3 ║ 6,8 ║ - ║ - ║ ║ SLE-11-SP1 ║ 6,7,8 ║ - ║ - ║ ║ SLE-11-SP3 ║ 6,7,8 ║ 3,6,7,8 ║ - ║ ║ SLE-12 ║ 3,6,7,8 ║ - ║ 6,7,8 ║ ╚════════════╩═════════╩══════════╩═══════════════════╝
openSUSE-SU-2014:1331-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 901223,901277 CVE References: CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 Sources used: openSUSE 13.1 (src): openssl-1.0.1j-11.56.1 openSUSE 12.3 (src): openssl-1.0.1j-1.68.1
I do not see any mentioning of SLE-11-SP2. Are we not planning on releasing an updated openssl package for that product - given that we will release for 10-SP4 and 11-SP1 ?
We will be releasing LTSS updates for these CVEs.
SUSE-SU-2014:1357-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 901223,901277 CVE References: CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 Sources used: SUSE Linux Enterprise Security Module 11 SP3 (src): openssl1-1.0.1g-0.22.1
SUSE-SU-2014:1361-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 892403,901223,901277 CVE References: CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): openssl-0.9.8j-0.66.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): openssl-0.9.8j-0.66.1 SUSE Linux Enterprise Server 11 SP3 (src): openssl-0.9.8j-0.66.1 SUSE Linux Enterprise Desktop 11 SP3 (src): openssl-0.9.8j-0.66.1
SUSE-SU-2014:1386-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 892403,901223,901277 CVE References: CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): openssl-0.9.8j-0.66.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): openssl-0.9.8j-0.66.1
SUSE-SU-2014:1387-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 901223,901277 CVE References: CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): openssl-0.9.8a-18.86.3
*** Bug 903739 has been marked as a duplicate of this bug. ***
SUSE-SU-2014:1409-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 901223,901277 CVE References: CVE-2014-3566,CVE-2014-3568 Sources used: SLE CLIENT TOOLS 10 for x86_64 (src): openssl-0.9.8a-18.86.2 SLE CLIENT TOOLS 10 for s390x (src): openssl-0.9.8a-18.86.2 SLE CLIENT TOOLS 10 (src): openssl-0.9.8a-18.86.2
SUSE-SU-2014:1387-2: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 901223,901277 CVE References: CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 Sources used: SUSE Studio Onsite 1.3 (src): openssl-0.9.8j-0.66.1 SUSE Manager 1.7 for SLE 11 SP2 (src): openssl-0.9.8j-0.66.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-11-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59655
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-11-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59656
Hi All: A confliction appears when i upgrade the openssl. What should i do?? linux-8lij:~/openssl_rpm # rpm -Uvh ./openssl-0.9.8a-18.45.79.3.7633.0.PTF.901277.i586.rpm Preparing... ########################################### [100%] file /etc/ssl/certs/Entrust_net_Premium_2048_Secure_Server_CA.pem from install of openssl-0.9.8a-18.45.79.3.7633.0.PTF.901277 conflicts with file from package openssl-certs-1.85-0.17.1
(In reply to Xin Rong Fu from comment #46) > Hi All: > A confliction appears when i upgrade the openssl. > What should i do?? > > linux-8lij:~/openssl_rpm # rpm -Uvh > ./openssl-0.9.8a-18.45.79.3.7633.0.PTF.901277.i586.rpm > Preparing... ########################################### > [100%] > file /etc/ssl/certs/Entrust_net_Premium_2048_Secure_Server_CA.pem from > install of openssl-0.9.8a-18.45.79.3.7633.0.PTF.901277 conflicts with file > from package openssl-certs-1.85-0.17.1 both openssl and openssl-cert contains the same file /etc/ssl/certs/Entrust_net_Premium_2048_Secure_Server_CA.pem it should not cause any problem to service, but can we remove this file from any one of them?
SUSE-SU-2014:1512-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 901223,901277 CVE References: CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 Sources used: SUSE Linux Enterprise Module for Legacy Software 12 (src): compat-openssl098-0.9.8j-62.1 SUSE Linux Enterprise Desktop 12 (src): compat-openssl098-0.9.8j-62.1
SUSE-SU-2014:1524-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 901223,901277 CVE References: CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): openssl-1.0.1i-5.1 SUSE Linux Enterprise Server 12 (src): openssl-1.0.1i-5.1 SUSE Linux Enterprise Desktop 12 (src): openssl-1.0.1i-5.1
L3 is closed. Ya Dan Fan
SUSE-SU-2014:1557-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 802184,880891,890764,901223,901277,905106 CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0224,CVE-2014-3470,CVE-2014-3508,CVE-2014-3566,CVE-2014-3568 Sources used: SUSE Linux Enterprise for SAP Applications 11 SP1 (src): compat-openssl097g-0.9.7g-146.22.25.1
SUSE-SU-2014:1557-2: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 802184,880891,890764,901223,901277,905106 CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0224,CVE-2014-3470,CVE-2014-3508,CVE-2014-3566,CVE-2014-3568 Sources used: SUSE Linux Enterprise Desktop 11 SP3 (src): compat-openssl097g-0.9.7g-146.22.25.1
released all things
SUSE-SU-2015:0578-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 802184,880891,890764,901223,901277,905106,912014,912015,912018,912293,912296,920236,922488,922496,922499,922500,922501 CVE References: Sources used: SUSE Linux Enterprise for SAP Applications 11 SP2 (src): compat-openssl097g-0.9.7g-146.22.29.1
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available. Category: feature (moderate) Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668 CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712 JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135 Sources used: SUSE Manager Tools 12-BETA (src): venv-salt-minion-3002.2-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.