FreeBSD Bugzilla – Attachment 188555 Details for
Bug 224106
security/vuxml missing FreeBSD SA entries
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
entry for SA-17:11.openssl
vuln_SA-17:11.openssl.xml (text/plain), 2.29 KB, created by
Miroslav Lachman
on 2017-12-05 15:03:35 UTC
(
hide
)
Description:
entry for SA-17:11.openssl
Filename:
MIME Type:
Creator:
Miroslav Lachman
Created:
2017-12-05 15:03:35 UTC
Size:
2.29 KB
patch
obsolete
> > <vuln vid="9524a4aa-d9cc-11e7-8804-f8b156ac3ff9"> > <topic>OpenSSL multiple vulnerabilities</topic> > <affects> > <package> > <name>FreeBSD</name> > <range><ge>11.1</ge><lt>11.1_5</lt></range> > <range><ge>11.0</ge><lt>11.0_16</lt></range> > <range><ge>10.4</ge><lt>10.4_4</lt></range> > <range><ge>10.3</ge><lt>10.3_25</lt></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml"> > <h1>Problem Description:</h1> > <p>If an X.509 certificate has a malformed IPAddressFamily > extension, OpenSSL could do a one-byte buffer overread. > [CVE-2017-3735]</p> > <p>There is a carry propagating bug in the x86_64 Montgomery > squaring procedure. This only affects processors that support > the BMI1, BMI2 and ADX extensions like Intel Broadwell > (5th generation) and later or AMD Ryzen. [CVE-2017-3736] > This bug only affects FreeBSD 11.x.</p> > <h1>Impact:</h1> > <p>Application using OpenSSL may display erroneous certificate > in text format. [CVE-2017-3735]</p> > <p>Mishandling of carry propagation will produce incorrect output, > and make it easier for a remote attacker to obtain sensitive > private-key information. No EC algorithms are affected, analysis > suggests that attacks against RSA and DSA as a result of this > defect would be very difficult to perform and are not believed likely.</p> > <p>Attacks against DH are considered just feasible (although > very difficult) because most of the work necessary to deduce > information about a private key may be performed offline. > The amount of resources required for such an attack would > be very significant and likely only accessible to a limited > number of attackers. An attacker would additionally need online > access to an unpatched system using the target private key > in a scenario with persistent DH parameters and a private key > that is shared between multiple clients. [CVE-2017-3736]</p> > </body> > </description> > <references> > <cvename>CVE-2017-3735</cvename> > <cvename>CVE-2017-3736</cvename> > <freebsdsa>SA-17:11.openssl</freebsdsa> > </references> > <dates> > <discovery>2017-11-02</discovery> > <entry>2017-12-05</entry> > </dates> > </vuln>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=188555">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 224106
:
188542
|
188552
|
188553
|
188554
| 188555