MNBSD-2016-9: Multiple OpenSSL vulnerabilities (AES-NI CBC padding, encode/encrypt overflows, ASN.1 memory exhaustion)

Severity: Unknown

Affected Package: openssl

Summary: Multiple OpenSSL vulnerabilities (AES-NI CBC padding, encode/encrypt overflows, ASN.1 memory exhaustion)

Description

OpenSSL security update fixing an AES-NI CBC MAC padding check that no longer verified sufficient data was present (a padding-oracle style flaw), overflows in EVP_EncodeUpdate() and EVP_EncryptUpdate(), and an ASN.1 issue where short invalid encodings read via d2i_CMS_bio()-style functions could allocate large amounts of memory. Fixed in the 0.7.7 release.

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109

Published: May 05, 2016
Last Modified: May 05, 2016