rpm package

suse/openssl1&distro=SUSE Linux Enterprise Server 11-SECURITY

pkg:rpm/suse/openssl1&distro=SUSE%20Linux%20Enterprise%20Server%2011-SECURITY

Vulnerabilities (47)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2016-6303	Cri	9.8	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Sep 16, 2016	Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
CVE-2016-6302	Hig	7.5	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Sep 16, 2016	The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
CVE-2016-2182	Cri	9.8	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Sep 16, 2016	The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors
CVE-2016-2181	Hig	7.5	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Sep 16, 2016	The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, re
CVE-2016-2179	Hig	7.5	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Sep 16, 2016	The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simulta
CVE-2016-2183	Hig	7.5	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Sep 1, 2016	The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-dura
CVE-2016-2180	Hig	7.5	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Aug 1, 2016	The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp f
CVE-2016-2178	Med	5.5	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Jun 20, 2016	The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
CVE-2016-2177	Cri	9.8	< 1.0.1g-0.52.1	1.0.1g-0.52.1	Jun 20, 2016	OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior,
CVE-2016-2109	Hig	7.5	< 1.0.1g-0.47.1	1.0.1g-0.47.1	May 5, 2016	The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
CVE-2016-2108	Cri	9.8	< 1.0.1g-0.47.1	1.0.1g-0.47.1	May 5, 2016	The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
CVE-2016-2107	Med	5.9	< 1.0.1g-0.47.1	1.0.1g-0.47.1	May 5, 2016	The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: thi
CVE-2016-2106	Hig	7.5	< 1.0.1g-0.47.1	1.0.1g-0.47.1	May 5, 2016	Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
CVE-2016-2105	Hig	7.5	< 1.0.1g-0.47.1	1.0.1g-0.47.1	May 5, 2016	Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
CVE-2016-0799	Cri	9.8	< 1.0.1g-0.40.1	1.0.1g-0.40.1	Mar 3, 2016	The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a lo
CVE-2016-0798	Hig	7.5	< 1.0.1g-0.40.1	1.0.1g-0.40.1	Mar 3, 2016	Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto
CVE-2016-0797	Hig	7.5	< 1.0.1g-0.40.1	1.0.1g-0.40.1	Mar 3, 2016	Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (
CVE-2016-0705	Cri	9.8	< 1.0.1g-0.40.1	1.0.1g-0.40.1	Mar 3, 2016	Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA privat
CVE-2016-0702	Med	5.1	< 1.0.1g-0.40.1	1.0.1g-0.40.1	Mar 3, 2016	The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a craft
CVE-2016-0704	Med	5.9	< 1.0.1g-0.40.1	1.0.1g-0.40.1	Mar 2, 2016	An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, whi

CVE-2016-6303CriSep 16, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
CVE-2016-6302HigSep 16, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
CVE-2016-2182CriSep 16, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors
CVE-2016-2181HigSep 16, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, re
CVE-2016-2179HigSep 16, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simulta
CVE-2016-2183HigSep 1, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-dura
CVE-2016-2180HigAug 1, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp f
CVE-2016-2178MedJun 20, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
CVE-2016-2177CriJun 20, 2016
affected < 1.0.1g-0.52.1fixed 1.0.1g-0.52.1
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior,
CVE-2016-2109HigMay 5, 2016
affected < 1.0.1g-0.47.1fixed 1.0.1g-0.47.1
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
CVE-2016-2108CriMay 5, 2016
affected < 1.0.1g-0.47.1fixed 1.0.1g-0.47.1
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
CVE-2016-2107MedMay 5, 2016
affected < 1.0.1g-0.47.1fixed 1.0.1g-0.47.1
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: thi
CVE-2016-2106HigMay 5, 2016
affected < 1.0.1g-0.47.1fixed 1.0.1g-0.47.1
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
CVE-2016-2105HigMay 5, 2016
affected < 1.0.1g-0.47.1fixed 1.0.1g-0.47.1
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
CVE-2016-0799CriMar 3, 2016
affected < 1.0.1g-0.40.1fixed 1.0.1g-0.40.1
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a lo
CVE-2016-0798HigMar 3, 2016
affected < 1.0.1g-0.40.1fixed 1.0.1g-0.40.1
Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto
CVE-2016-0797HigMar 3, 2016
affected < 1.0.1g-0.40.1fixed 1.0.1g-0.40.1
Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (
CVE-2016-0705CriMar 3, 2016
affected < 1.0.1g-0.40.1fixed 1.0.1g-0.40.1
Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA privat
CVE-2016-0702MedMar 3, 2016
affected < 1.0.1g-0.40.1fixed 1.0.1g-0.40.1
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a craft
CVE-2016-0704MedMar 2, 2016
affected < 1.0.1g-0.40.1fixed 1.0.1g-0.40.1
An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, whi

Page 2 of 3