rhsa-2015_0752
Vulnerability from csaf_redhat
Published
2015-03-30 07:58
Modified
2024-09-15 22:24
Summary
Red Hat Security Advisory: openssl security update

Notes

Topic
Updated openssl packages that fix multiple security issues are now available for Red Hat Storage 2.1. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An invalid pointer use flaw was found in OpenSSL's ASN1_TYPE_cmp() function. A remote attacker could crash a TLS/SSL client or server using OpenSSL via a specially crafted X.509 certificate when the attacker-supplied certificate was verified by the application. (CVE-2015-0286) An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input (such as a PEM file) could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded. (CVE-2015-0292) A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293) A use-after-free flaw was found in the way OpenSSL imported malformed Elliptic Curve private keys. A specially crafted key file could cause an application using OpenSSL to crash when imported. (CVE-2015-0209) An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could possibly use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash. (CVE-2015-0287) A NULL pointer dereference flaw was found in OpenSSL's X.509 certificate handling implementation. A specially crafted X.509 certificate could cause an application using OpenSSL to crash if the application attempted to convert the certificate to a certificate request. (CVE-2015-0288) A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash. TLS/SSL clients and servers using OpenSSL were not affected by this flaw. (CVE-2015-0289) Red Hat would like to thank the OpenSSL project for reporting CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293. Upstream acknowledges Stephen Henson of the OpenSSL development team as the original reporter of CVE-2015-0286, Emilia Käsper of the OpenSSL development team as the original reporter of CVE-2015-0287, Brian Carpenter as the original reporter of CVE-2015-0288, Michal Zalewski of Google as the original reporter of CVE-2015-0289, Robert Dugal and David Ramos as the original reporters of CVE-2015-0292, and Sean Burford of Google and Emilia Käsper of the OpenSSL development team as the original reporters of CVE-2015-0293. All openssl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated openssl packages that fix multiple security issues are now\navailable for Red Hat Storage 2.1.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)\nand Transport Layer Security (TLS v1) protocols, as well as a\nfull-strength, general purpose cryptography library.\n\nAn invalid pointer use flaw was found in OpenSSL\u0027s ASN1_TYPE_cmp()\nfunction. A remote attacker could crash a TLS/SSL client or server using\nOpenSSL via a specially crafted X.509 certificate when the\nattacker-supplied certificate was verified by the application.\n(CVE-2015-0286)\n\nAn integer underflow flaw, leading to a buffer overflow, was found in the\nway OpenSSL decoded malformed Base64-encoded inputs. An attacker able to\nmake an application using OpenSSL decode a specially crafted Base64-encoded\ninput (such as a PEM file) could use this flaw to cause the application to\ncrash. Note: this flaw is not exploitable via the TLS/SSL protocol because\nthe data being transferred is not Base64-encoded. (CVE-2015-0292)\n\nA denial of service flaw was found in the way OpenSSL handled SSLv2\nhandshake messages. A remote attacker could use this flaw to cause a\nTLS/SSL server using OpenSSL to exit on a failed assertion if it had both\nthe SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293)\n\nA use-after-free flaw was found in the way OpenSSL imported malformed\nElliptic Curve private keys. A specially crafted key file could cause an\napplication using OpenSSL to crash when imported. (CVE-2015-0209)\n\nAn out-of-bounds write flaw was found in the way OpenSSL reused certain\nASN.1 structures. A remote attacker could possibly use a specially crafted\nASN.1 structure that, when parsed by an application, would cause that\napplication to crash. (CVE-2015-0287)\n\nA NULL pointer dereference flaw was found in OpenSSL\u0027s X.509 certificate\nhandling implementation. A specially crafted X.509 certificate could cause\nan application using OpenSSL to crash if the application attempted to\nconvert the certificate to a certificate request. (CVE-2015-0288)\n\nA NULL pointer dereference was found in the way OpenSSL handled certain\nPKCS#7 inputs. An attacker able to make an application using OpenSSL\nverify, decrypt, or parse a specially crafted PKCS#7 input could cause that\napplication to crash. TLS/SSL clients and servers using OpenSSL were not\naffected by this flaw. (CVE-2015-0289)\n\nRed Hat would like to thank the OpenSSL project for reporting\nCVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292,\nand CVE-2015-0293. Upstream acknowledges Stephen Henson of the OpenSSL\ndevelopment team as the original reporter of CVE-2015-0286, Emilia K\u00e4sper\nof the OpenSSL development team as the original reporter of CVE-2015-0287,\nBrian Carpenter as the original reporter of CVE-2015-0288, Michal Zalewski\nof Google as the original reporter of CVE-2015-0289, Robert Dugal and David\nRamos as the original reporters of CVE-2015-0292, and Sean Burford of\nGoogle and Emilia K\u00e4sper of the OpenSSL development team as the original\nreporters of CVE-2015-0293.\n\nAll openssl users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. For the update to take\neffect, all services linked to the OpenSSL library must be restarted, or\nthe system rebooted.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:0752",
        "url": "https://access.redhat.com/errata/RHSA-2015:0752"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://www.openssl.org/news/secadv_20150319.txt",
        "url": "https://www.openssl.org/news/secadv_20150319.txt"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/articles/1384453",
        "url": "https://access.redhat.com/articles/1384453"
      },
      {
        "category": "external",
        "summary": "1196737",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1196737"
      },
      {
        "category": "external",
        "summary": "1202366",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202366"
      },
      {
        "category": "external",
        "summary": "1202380",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202380"
      },
      {
        "category": "external",
        "summary": "1202384",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202384"
      },
      {
        "category": "external",
        "summary": "1202395",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202395"
      },
      {
        "category": "external",
        "summary": "1202404",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202404"
      },
      {
        "category": "external",
        "summary": "1202418",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202418"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2015/rhsa-2015_0752.json"
      }
    ],
    "title": "Red Hat Security Advisory: openssl security update",
    "tracking": {
      "current_release_date": "2024-09-15T22:24:39+00:00",
      "generator": {
        "date": "2024-09-15T22:24:39+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2015:0752",
      "initial_release_date": "2015-03-30T07:58:28+00:00",
      "revision_history": [
        {
          "date": "2015-03-30T07:58:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-03-30T07:58:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-15T22:24:39+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Storage Server 2.1",
                "product": {
                  "name": "Red Hat Storage Server 2.1",
                  "product_id": "6Server-RHS-6.4.z",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:storage:2.1:server:el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Gluster Storage"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
                "product": {
                  "name": "openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_id": "openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-debuginfo@1.0.1e-30.el6_6.7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-static-0:1.0.1e-30.el6_6.7.x86_64",
                "product": {
                  "name": "openssl-static-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_id": "openssl-static-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-static@1.0.1e-30.el6_6.7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-0:1.0.1e-30.el6_6.7.x86_64",
                "product": {
                  "name": "openssl-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_id": "openssl-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl@1.0.1e-30.el6_6.7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
                "product": {
                  "name": "openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_id": "openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-perl@1.0.1e-30.el6_6.7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
                "product": {
                  "name": "openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_id": "openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl-devel@1.0.1e-30.el6_6.7?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openssl-0:1.0.1e-30.el6_6.7.src",
                "product": {
                  "name": "openssl-0:1.0.1e-30.el6_6.7.src",
                  "product_id": "openssl-0:1.0.1e-30.el6_6.7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openssl@1.0.1e-30.el6_6.7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-0:1.0.1e-30.el6_6.7.src as a component of Red Hat Storage Server 2.1",
          "product_id": "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src"
        },
        "product_reference": "openssl-0:1.0.1e-30.el6_6.7.src",
        "relates_to_product_reference": "6Server-RHS-6.4.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-0:1.0.1e-30.el6_6.7.x86_64 as a component of Red Hat Storage Server 2.1",
          "product_id": "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64"
        },
        "product_reference": "openssl-0:1.0.1e-30.el6_6.7.x86_64",
        "relates_to_product_reference": "6Server-RHS-6.4.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64 as a component of Red Hat Storage Server 2.1",
          "product_id": "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64"
        },
        "product_reference": "openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
        "relates_to_product_reference": "6Server-RHS-6.4.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-devel-0:1.0.1e-30.el6_6.7.x86_64 as a component of Red Hat Storage Server 2.1",
          "product_id": "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64"
        },
        "product_reference": "openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
        "relates_to_product_reference": "6Server-RHS-6.4.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-perl-0:1.0.1e-30.el6_6.7.x86_64 as a component of Red Hat Storage Server 2.1",
          "product_id": "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64"
        },
        "product_reference": "openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
        "relates_to_product_reference": "6Server-RHS-6.4.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openssl-static-0:1.0.1e-30.el6_6.7.x86_64 as a component of Red Hat Storage Server 2.1",
          "product_id": "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        },
        "product_reference": "openssl-static-0:1.0.1e-30.el6_6.7.x86_64",
        "relates_to_product_reference": "6Server-RHS-6.4.z"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-0209",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "discovery_date": "2015-02-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1196737"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A use-after-free flaw was found in the way OpenSSL imported malformed Elliptic Curve private keys. A specially crafted key file could cause an application using OpenSSL to crash when imported.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: use-after-free on invalid EC private key import",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0209"
        },
        {
          "category": "external",
          "summary": "RHBZ#1196737",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1196737"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0209",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0209"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0209",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0209"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/1384453",
          "url": "https://access.redhat.com/articles/1384453"
        },
        {
          "category": "external",
          "summary": "https://openssl.org/news/secadv_20150319.txt",
          "url": "https://openssl.org/news/secadv_20150319.txt"
        }
      ],
      "release_date": "2015-02-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openssl: use-after-free on invalid EC private key import"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "OpenSSL project"
          ]
        },
        {
          "names": [
            "Stephen Henson"
          ],
          "organization": "OpenSSL development team",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2015-0286",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "discovery_date": "2015-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1202366"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An invalid pointer use flaw was found in OpenSSL\u0027s ASN1_TYPE_cmp() function. A remote attacker could crash a TLS/SSL client or server using OpenSSL via a specially crafted X.509 certificate when the attacker-supplied certificate was verified by the application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: invalid pointer use in ASN1_TYPE_cmp()",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0286"
        },
        {
          "category": "external",
          "summary": "RHBZ#1202366",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202366"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0286",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0286"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0286",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0286"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/1384453",
          "url": "https://access.redhat.com/articles/1384453"
        },
        {
          "category": "external",
          "summary": "https://openssl.org/news/secadv_20150319.txt",
          "url": "https://openssl.org/news/secadv_20150319.txt"
        }
      ],
      "release_date": "2015-03-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssl: invalid pointer use in ASN1_TYPE_cmp()"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "OpenSSL project"
          ]
        },
        {
          "names": [
            "Emilia K\u00e4sper"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2015-0287",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2015-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1202380"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could possibly use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: ASN.1 structure reuse memory corruption",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0287"
        },
        {
          "category": "external",
          "summary": "RHBZ#1202380",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202380"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0287",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0287"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0287",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0287"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/1384453",
          "url": "https://access.redhat.com/articles/1384453"
        },
        {
          "category": "external",
          "summary": "https://openssl.org/news/secadv_20150319.txt",
          "url": "https://openssl.org/news/secadv_20150319.txt"
        }
      ],
      "release_date": "2015-03-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openssl: ASN.1 structure reuse memory corruption"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "OpenSSL project"
          ]
        },
        {
          "names": [
            "Brian Carpenter"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2015-0288",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "discovery_date": "2015-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1202418"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A NULL pointer dereference flaw was found in OpenSSL\u0027s X.509 certificate handling implementation. A specially crafted X.509 certificate could cause an application using OpenSSL to crash if the application attempted to convert the certificate to a certificate request.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: X509_to_X509_REQ NULL pointer dereference",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0288"
        },
        {
          "category": "external",
          "summary": "RHBZ#1202418",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202418"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0288",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0288"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0288",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0288"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/1384453",
          "url": "https://access.redhat.com/articles/1384453"
        },
        {
          "category": "external",
          "summary": "https://openssl.org/news/secadv_20150319.txt",
          "url": "https://openssl.org/news/secadv_20150319.txt"
        }
      ],
      "release_date": "2015-03-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openssl: X509_to_X509_REQ NULL pointer dereference"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "OpenSSL project"
          ]
        },
        {
          "names": [
            "Michal Zalewski"
          ],
          "organization": "Google",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2015-0289",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "discovery_date": "2015-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1202384"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash. TLS/SSL clients and servers using OpenSSL were not affected by this flaw.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: PKCS7 NULL pointer dereference",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0289"
        },
        {
          "category": "external",
          "summary": "RHBZ#1202384",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202384"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0289",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0289"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0289",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0289"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/1384453",
          "url": "https://access.redhat.com/articles/1384453"
        },
        {
          "category": "external",
          "summary": "https://openssl.org/news/secadv_20150319.txt",
          "url": "https://openssl.org/news/secadv_20150319.txt"
        }
      ],
      "release_date": "2015-03-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openssl: PKCS7 NULL pointer dereference"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "OpenSSL project"
          ]
        },
        {
          "names": [
            "Robert Dugal",
            "David Ramos"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2015-0292",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "discovery_date": "2015-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1202395"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input (such as a PEM file) could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: integer underflow leading to buffer overflow in base64 decoding",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0292"
        },
        {
          "category": "external",
          "summary": "RHBZ#1202395",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202395"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0292",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0292"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0292",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0292"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/1384453",
          "url": "https://access.redhat.com/articles/1384453"
        },
        {
          "category": "external",
          "summary": "https://openssl.org/news/secadv_20150319.txt",
          "url": "https://openssl.org/news/secadv_20150319.txt"
        }
      ],
      "release_date": "2015-03-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssl: integer underflow leading to buffer overflow in base64 decoding"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the OpenSSL project"
          ]
        },
        {
          "names": [
            "Emilia K\u00e4sper"
          ],
          "organization": "the OpenSSL development team",
          "summary": "Acknowledged by upstream."
        },
        {
          "names": [
            "Sean Burford"
          ],
          "organization": "Google",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2015-0293",
      "cwe": {
        "id": "CWE-617",
        "name": "Reachable Assertion"
      },
      "discovery_date": "2015-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1202404"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: assertion failure in SSLv2 servers",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-0293"
        },
        {
          "category": "external",
          "summary": "RHBZ#1202404",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202404"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-0293",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-0293"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0293",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0293"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/1384453",
          "url": "https://access.redhat.com/articles/1384453"
        },
        {
          "category": "external",
          "summary": "https://openssl.org/news/secadv_20150319.txt",
          "url": "https://openssl.org/news/secadv_20150319.txt"
        }
      ],
      "release_date": "2015-03-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssl: assertion failure in SSLv2 servers"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the OpenSSL project"
          ]
        },
        {
          "names": [
            "David Adrian",
            "J. Alex Halderman"
          ],
          "organization": "University of Michigan",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2016-0703",
      "discovery_date": "2016-02-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1310811"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: Divide-and-conquer session key recovery in SSLv2",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0703"
        },
        {
          "category": "external",
          "summary": "RHBZ#1310811",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310811"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0703",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0703"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0703",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0703"
        },
        {
          "category": "external",
          "summary": "https://www.openssl.org/news/secadv/20160301.txt",
          "url": "https://www.openssl.org/news/secadv/20160301.txt"
        }
      ],
      "release_date": "2016-03-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssl: Divide-and-conquer session key recovery in SSLv2"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the OpenSSL project"
          ]
        },
        {
          "names": [
            "David Adrian",
            "J. Alex Halderman"
          ],
          "organization": "University of Michigan",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2016-0704",
      "discovery_date": "2016-02-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1310814"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: SSLv2 Bleichenbacher protection overwrites wrong bytes for export ciphers",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
          "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
          "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0704"
        },
        {
          "category": "external",
          "summary": "RHBZ#1310814",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310814"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0704",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0704"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0704",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0704"
        },
        {
          "category": "external",
          "summary": "https://www.openssl.org/news/secadv/20160301.txt",
          "url": "https://www.openssl.org/news/secadv/20160301.txt"
        }
      ],
      "release_date": "2016-03-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0752"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.src",
            "6Server-RHS-6.4.z:openssl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-debuginfo-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-devel-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-perl-0:1.0.1e-30.el6_6.7.x86_64",
            "6Server-RHS-6.4.z:openssl-static-0:1.0.1e-30.el6_6.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssl: SSLv2 Bleichenbacher protection overwrites wrong bytes for export ciphers"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.