MNBSD-2016-3: Multiple OpenSSL vulnerabilities (RSA PSS NULL deref, X509_ATTRIBUTE leak, PSK identity hint)

Severity: Unknown

Affected Package: openssl

Summary: Multiple OpenSSL vulnerabilities (RSA PSS NULL deref, X509_ATTRIBUTE leak, PSK identity hint)

Description

OpenSSL update addressing a NULL pointer dereference crash when verifying an RSA PSS signature with an absent mask generation function parameter, a memory leak when parsing a malformed X509_ATTRIBUTE structure, and incorrect updating of PSK identity hints in the parent SSL_CTX for multi-threaded clients. These could cause denial of service or memory corruption. Fixed in the 0.7.3 release.

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2015-3194, CVE-2015-3195, CVE-2015-3196

Published: January 14, 2016
Last Modified: January 14, 2016