ALAS-2015-550


Amazon Linux AMI Security Advisory: ALAS-2015-550
Advisory Release Date: 2015-06-16 11:46 Pacific
Severity: Medium

Issue Overview:

LOGJAM: A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. (CVE-2015-4000 )

An out-of-bounds read flaw was found in the X509_cmp_time() function of OpenSSL, which is used to test the expiry dates of SSL/TLS certificates. An attacker could possibly use a specially-crafted SSL/TLS certificate or CRL (Certificate Revocation List), which when parsed by an application would cause that application to crash. (CVE-2015-1789 )

A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash. TLS/SSL clients and servers using OpenSSL were not affected by this flaw. (CVE-2015-1790 )

A race condition was found in the session handling code of OpenSSL. An attacker could cause a multi-threaded SSL/TLS server to crash. (CVE-2015-1791 )

A denial of service flaw was found in OpenSSL in the way it verified certain signed messages using CMS (Cryptographic Message Syntax). A remote attacker could cause an application using OpenSSL to use excessive amounts of memory by sending a specially-crafted message for verification. (CVE-2015-1792 )

An invalid-free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could send a specially-crafted message to the peer, which could cause the application to crash or potentially cause arbitrary code execution. (CVE-2014-8176 )

A regression was found in the ssleay_rand_bytes() function. This could lead a multi-threaded application to crash. (CVE-2015-3216 )


Affected Packages:

openssl


Issue Correction:
Run yum update openssl to update your system.

New Packages:
i686:
    openssl-devel-1.0.1k-10.86.amzn1.i686
    openssl-static-1.0.1k-10.86.amzn1.i686
    openssl-1.0.1k-10.86.amzn1.i686
    openssl-perl-1.0.1k-10.86.amzn1.i686
    openssl-debuginfo-1.0.1k-10.86.amzn1.i686

src:
    openssl-1.0.1k-10.86.amzn1.src

x86_64:
    openssl-1.0.1k-10.86.amzn1.x86_64
    openssl-static-1.0.1k-10.86.amzn1.x86_64
    openssl-devel-1.0.1k-10.86.amzn1.x86_64
    openssl-debuginfo-1.0.1k-10.86.amzn1.x86_64
    openssl-perl-1.0.1k-10.86.amzn1.x86_64