alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T13:51:39Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4360[v2.7] cacti: SQL Injection and Location header injection from cdef id (CVE-2...2019-07-23T13:51:39ZAlexander Belous[v2.7] cacti: SQL Injection and Location header injection from cdef id (CVE-2015-4342)Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 436...Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 4360, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4356
* Changesets:
* Revision ab261126095eedae47ef08cc5b650d858188f2a3 by Natanael Copa on 2015-06-15T13:27:33Z:
```
main/cacti: security upgrade to 0.8.8d (CVE-2015-4342)
fixes #4360
```Alpine 2.7.10Jeff Bilykjbilyk@gmail.comJeff Bilykjbilyk@gmail.comhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4359[v3.0] cacti: SQL Injection and Location header injection from cdef id (CVE-2...2019-07-23T13:51:40ZAlexander Belous[v3.0] cacti: SQL Injection and Location header injection from cdef id (CVE-2015-4342)Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 435...Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 4359, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4356
* Changesets:
* Revision ab2ca6142f8ba94f3f65218aa5c02658e542bb3d by Natanael Copa on 2015-06-15T13:26:33Z:
```
main/cacti: security upgrade to 0.8.8d (CVE-2015-4342)
fixes #4359
```3.0.7Jeff Bilykjbilyk@gmail.comJeff Bilykjbilyk@gmail.comhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4358[v3.1] cacti: SQL Injection and Location header injection from cdef id (CVE-2...2019-07-23T13:51:40ZAlexander Belous[v3.1] cacti: SQL Injection and Location header injection from cdef id (CVE-2015-4342)Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 435...Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 4358, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4356
* Changesets:
* Revision 3825d1210ce5b87d176eba4d583c4366bc9141de by Natanael Copa on 2015-06-15T13:25:21Z:
```
main/cacti: security upgrade to 0.8.8d (CVE-2015-4342)
fixes #4358
```3.1.5Jeff Bilykjbilyk@gmail.comJeff Bilykjbilyk@gmail.comhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4357[v3.2] cacti: SQL Injection and Location header injection from cdef id (CVE-2...2019-07-23T13:51:42ZAlexander Belous[v3.2] cacti: SQL Injection and Location header injection from cdef id (CVE-2015-4342)Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 435...Bug:
Unspecified SQL Injection and Location header injection vulnerability
has been reported and fixed in Cacti.
Fix:
Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 4357, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4356
* Changesets:
* Revision 6265e118d5015269910665d7cbd889b57baf70d2 by Natanael Copa on 2015-06-15T13:24:38Z:
```
main/cacti: security upgrade to 0.8.8d (CVE-2015-4342)
fixes #4357
```3.2.1Jeff Bilykjbilyk@gmail.comJeff Bilykjbilyk@gmail.comhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4356cacti: SQL Injection and Location header injection from cdef id (CVE-2015-4342)2019-07-23T13:51:43ZAlexander Belouscacti: SQL Injection and Location header injection from cdef id (CVE-2015-4342)Bug:
>Unspecified SQL Injection and Location header injection
vulnerability has been reported and fixed in Cacti.
Fix:
>Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id...Bug:
>Unspecified SQL Injection and Location header injection
vulnerability has been reported and fixed in Cacti.
Fix:
>Cacti 0.8.8d
Reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-4342
*(from redmine: issue id 4356, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* child #4357
* child #4358
* child #4359
* child #4360https://gitlab.alpinelinux.org/alpine/aports/-/issues/4355[v2.7] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE...2019-07-23T13:51:44ZAlexander Belous[v2.7] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE-2015-1158, CVE-2015-1159)We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec ...We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec helper program.
The exact attack does the following:
1. Use the CGI template engine to inject malicious HTML in a hyperlink,
which is executed by the browser (a similar attack could be performed by
a specially written program)
2. A specially-crafted print-job or create-job request is sent to cupsd
containing the job-originating-host-name attribute with multiple
nameWithLanguage values - this triggers a validation error in cupsd,
which then tries to free the language strings multiple times.
3. The language string passed in is /admin, which causes the cupsd.conf
ACL’s copy of the string to become corrupted, allowing anyone to PUT a
new cupsd.conf file.
4. A new cupsd.conf file is uploaded to cupsd containing SetEnv
directives (for DYLD\_PRELOAD or LD\_PRELOAD) pointing to a malicious
dynamic library.
5. The next job or request that triggers the execution of a helper
program through cups-exec, and the dynamic linker loads the malicious
code. Depending on the version of CUPS and platform, the code will
execute either as the “lp” user or “root”.
This attack can be done remotely when printer sharing and the web
interface is enabled, using failed POST or PUT requests to collect stale
request files in the CUPS spool directory containing the malicious code.
This bug tracks resolution of this privilege escalation issue through
the following changes:
\- cupsd should use the ippSetCount and ippSetString APIs rather than
manipulating the string values directly, particularly for the processing
of the job-originating-host-name attribute.
\- cupsd shouldn’t use string pool for config stuff
\- cupsd should remove temp files on partial POST/PUT- cupsd shouldn’t
support LD*\* and DYLD*\* variables when running as root
\- Need to call cgiClearVariables in more places to prevent input from
leaking into output
- Add new cgiSetVariable function to flag variables that are already
encoded HTML, and only give them special treatment
Fix:
CUPS 2.0.3
Reference: http://www.cups.org/str.php?L4609
*(from redmine: issue id 4355, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4351
* Changesets:
* Revision 40283b5ee346c43fe039dffe33f22e009c0094a1 by Natanael Copa on 2015-06-15T13:35:53Z:
```
main/cups: security fix for CVE-2015-1158,CVE-2015-1159
* Improper Update of Reference Count -- CVE-2015-1158
* Cross-Site Scripting -- CVE-2015-1159
fixes #4355
```Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4354[v3.0] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE...2019-07-23T13:51:45ZAlexander Belous[v3.0] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE-2015-1158, CVE-2015-1159)We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec ...We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec helper program.
The exact attack does the following:
1. Use the CGI template engine to inject malicious HTML in a hyperlink,
which is executed by the browser (a similar attack could be performed by
a specially written program)
2. A specially-crafted print-job or create-job request is sent to cupsd
containing the job-originating-host-name attribute with multiple
nameWithLanguage values - this triggers a validation error in cupsd,
which then tries to free the language strings multiple times.
3. The language string passed in is /admin, which causes the cupsd.conf
ACL’s copy of the string to become corrupted, allowing anyone to PUT a
new cupsd.conf file.
4. A new cupsd.conf file is uploaded to cupsd containing SetEnv
directives (for DYLD\_PRELOAD or LD\_PRELOAD) pointing to a malicious
dynamic library.
5. The next job or request that triggers the execution of a helper
program through cups-exec, and the dynamic linker loads the malicious
code. Depending on the version of CUPS and platform, the code will
execute either as the “lp” user or “root”.
This attack can be done remotely when printer sharing and the web
interface is enabled, using failed POST or PUT requests to collect stale
request files in the CUPS spool directory containing the malicious code.
This bug tracks resolution of this privilege escalation issue through
the following changes:
\- cupsd should use the ippSetCount and ippSetString APIs rather than
manipulating the string values directly, particularly for the processing
of the job-originating-host-name attribute.
\- cupsd shouldn’t use string pool for config stuff
\- cupsd should remove temp files on partial POST/PUT- cupsd shouldn’t
support LD*\* and DYLD*\* variables when running as root
\- Need to call cgiClearVariables in more places to prevent input from
leaking into output
- Add new cgiSetVariable function to flag variables that are already
encoded HTML, and only give them special treatment
Fix:
CUPS 2.0.3
Reference: http://www.cups.org/str.php?L4609
*(from redmine: issue id 4354, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4351
* Changesets:
* Revision 5f589ae6722e270d6297726d8ef6ab405dc22d93 by Natanael Copa on 2015-06-15T13:41:59Z:
```
main/cups: security fix for CVE-2015-1158,CVE-2015-1159
* Improper Update of Reference Count -- CVE-2015-1158
* Cross-Site Scripting -- CVE-2015-1159
fixes #4354
```3.0.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4353[v3.1] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE...2019-07-23T13:51:46ZAlexander Belous[v3.1] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE-2015-1158, CVE-2015-1159)We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec ...We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec helper program.
The exact attack does the following:
1. Use the CGI template engine to inject malicious HTML in a hyperlink,
which is executed by the browser (a similar attack could be performed by
a specially written program)
2. A specially-crafted print-job or create-job request is sent to cupsd
containing the job-originating-host-name attribute with multiple
nameWithLanguage values - this triggers a validation error in cupsd,
which then tries to free the language strings multiple times.
3. The language string passed in is /admin, which causes the cupsd.conf
ACL’s copy of the string to become corrupted, allowing anyone to PUT a
new cupsd.conf file.
4. A new cupsd.conf file is uploaded to cupsd containing SetEnv
directives (for DYLD\_PRELOAD or LD\_PRELOAD) pointing to a malicious
dynamic library.
5. The next job or request that triggers the execution of a helper
program through cups-exec, and the dynamic linker loads the malicious
code. Depending on the version of CUPS and platform, the code will
execute either as the “lp” user or “root”.
This attack can be done remotely when printer sharing and the web
interface is enabled, using failed POST or PUT requests to collect stale
request files in the CUPS spool directory containing the malicious code.
This bug tracks resolution of this privilege escalation issue through
the following changes:
\- cupsd should use the ippSetCount and ippSetString APIs rather than
manipulating the string values directly, particularly for the processing
of the job-originating-host-name attribute.
\- cupsd shouldn’t use string pool for config stuff
\- cupsd should remove temp files on partial POST/PUT- cupsd shouldn’t
support LD*\* and DYLD*\* variables when running as root
\- Need to call cgiClearVariables in more places to prevent input from
leaking into output
- Add new cgiSetVariable function to flag variables that are already
encoded HTML, and only give them special treatment
Fix:
CUPS 2.0.3
Reference: http://www.cups.org/str.php?L4609
*(from redmine: issue id 4353, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4351
* Changesets:
* Revision 2bd688203ac9a6bade959c7857aa827a882a5a26 by Natanael Copa on 2015-06-15T13:36:35Z:
```
main/cups: security upgrade to 2.0.3 (CVE-2015-1158,CVE-2015-1159)
fixes #4353
```3.1.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4352[v3.2] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE...2019-07-23T13:51:47ZAlexander Belous[v3.2] cups: Improper Update of Reference Count and Cross-Site Scripting (CVE-2015-1158, CVE-2015-1159)We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec ...We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec helper program.
The exact attack does the following:
1. Use the CGI template engine to inject malicious HTML in a hyperlink,
which is executed by the browser (a similar attack could be performed by
a specially written program)
2. A specially-crafted print-job or create-job request is sent to cupsd
containing the job-originating-host-name attribute with multiple
nameWithLanguage values - this triggers a validation error in cupsd,
which then tries to free the language strings multiple times.
3. The language string passed in is /admin, which causes the cupsd.conf
ACL’s copy of the string to become corrupted, allowing anyone to PUT a
new cupsd.conf file.
4. A new cupsd.conf file is uploaded to cupsd containing SetEnv
directives (for DYLD\_PRELOAD or LD\_PRELOAD) pointing to a malicious
dynamic library.
5. The next job or request that triggers the execution of a helper
program through cups-exec, and the dynamic linker loads the malicious
code. Depending on the version of CUPS and platform, the code will
execute either as the “lp” user or “root”.
This attack can be done remotely when printer sharing and the web
interface is enabled, using failed POST or PUT requests to collect stale
request files in the CUPS spool directory containing the malicious code.
This bug tracks resolution of this privilege escalation issue through
the following changes:
\- cupsd should use the ippSetCount and ippSetString APIs rather than
manipulating the string values directly, particularly for the processing
of the job-originating-host-name attribute.
\- cupsd shouldn’t use string pool for config stuff
\- cupsd should remove temp files on partial POST/PUT- cupsd shouldn’t
support LD*\* and DYLD*\* variables when running as root
\- Need to call cgiClearVariables in more places to prevent input from
leaking into output
- Add new cgiSetVariable function to flag variables that are already
encoded HTML, and only give them special treatment
Fix:
CUPS 2.0.3
Reference: http://www.cups.org/str.php?L4609
*(from redmine: issue id 4352, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4351
* Changesets:
* Revision ff5aca650b718685ddf975d4f7f26993fc79f235 by Natanael Copa on 2015-06-15T13:40:50Z:
```
main/cups: security upgrade to 2.0.3 (CVE-2015-1158,CVE-2015-1159)
fixes #4352
```3.2.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4351cups: Improper Update of Reference Count and Cross-Site Scripting (CVE-2015-1...2019-07-23T13:51:47ZAlexander Belouscups: Improper Update of Reference Count and Cross-Site Scripting (CVE-2015-1158, CVE-2015-1159)We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec ...We received a report from Google that cupsd can be exploited to perform
a privilege escalation using a combination of bugs and the dynamic
linker’s support for (pre)loading or redirecting which shared libraries
are used by the cups-exec helper program.
The exact attack does the following:
>1. Use the CGI template engine to inject malicious HTML in a
hyperlink, which is executed by the browser (a similar attack could be
performed by a specially written program)
>2. A specially-crafted print-job or create-job request is sent to
cupsd containing the job-originating-host-name attribute with multiple
nameWithLanguage values - this triggers a validation error in cupsd,
which then tries to free the language strings multiple times.
>3. The language string passed in is /admin, which causes the
cupsd.conf ACL’s copy of the string to become corrupted, allowing anyone
to PUT a new cupsd.conf file.
>4. A new cupsd.conf file is uploaded to cupsd containing SetEnv
directives (for DYLD\_PRELOAD or LD\_PRELOAD) pointing to a malicious
dynamic library.
>5. The next job or request that triggers the execution of a helper
program through cups-exec, and the dynamic linker loads the malicious
code. Depending on the version of CUPS and platform, the code will
execute either as the “lp” user or “root”.
This attack can be done remotely when printer sharing and the web
interface is enabled, using failed POST or PUT requests to collect stale
request files in the CUPS spool directory containing the malicious code.
This bug tracks resolution of this privilege escalation issue through
the following changes:
>- cupsd should use the ippSetCount and ippSetString APIs rather
than manipulating the string values directly, particularly for the
processing of the job-originating-host-name attribute.
>- cupsd shouldn’t use string pool for config stuff
>- cupsd should remove temp files on partial POST/PUT- cupsd
shouldn’t support LD*\* and DYLD*\* variables when running as root
>- Need to call cgiClearVariables in more places to prevent input
from leaking into output
>- Add new cgiSetVariable function to flag variables that are
already encoded HTML, and only give them special treatment
Fix:
>CUPS 2.0.3
Reference: http://www.cups.org/str.php?L4609
*(from redmine: issue id 4351, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* child #4352
* child #4353
* child #4354
* child #4355https://gitlab.alpinelinux.org/alpine/aports/-/issues/4350pcre 8.37 contains multiple remote code execution vulnerabilites which are on...2019-07-23T13:51:48ZPascal Ernsterpcre 8.37 contains multiple remote code execution vulnerabilites which are only fixed in upstream SVNPCRE 8.37 contains multiple security vulnerabilities (over half a dozen
buffer overflows and reference offset bugs):
http://vcs.pcre.org/pcre/code/trunk/ChangeLog
At least one of those vulnerabilites has been assigned CVE-2015-3210,
w...PCRE 8.37 contains multiple security vulnerabilities (over half a dozen
buffer overflows and reference offset bugs):
http://vcs.pcre.org/pcre/code/trunk/ChangeLog
At least one of those vulnerabilites has been assigned CVE-2015-3210,
where it is also claimed that this can be used for remote code
execution:
http://www.securitytracker.com/id/1032453
Although upstream has not yet released a new version of PCRE, they have
fixed these vulnerabilities in their SVN:
https://bugs.exim.org/show\_bug.cgi?id=1636\#c1
I therefore propose that the SVN version of PCRE be shipped until
upstream releases PCRE 8.38.
*(from redmine: issue id 4350, created on 2015-06-15, closed on 2019-05-04)*Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4349PHP 5.6.9 contains security vulnerabilites, please ship version 5.6.102019-07-23T13:51:49ZPascal ErnsterPHP 5.6.9 contains security vulnerabilites, please ship version 5.6.10The stable main repository still contains PHP 5.6.9 although this
version contains multiple security vulnerabilities which have been fixed
in version 5.6.10:
https://php.net/releases/5\_6\_10.php
https://php.net/ChangeLog-5.php\#5.6.1...The stable main repository still contains PHP 5.6.9 although this
version contains multiple security vulnerabilities which have been fixed
in version 5.6.10:
https://php.net/releases/5\_6\_10.php
https://php.net/ChangeLog-5.php\#5.6.10
Version 5.6.10 seems to be in edge already, but is not in the stable
repository.
*(from redmine: issue id 4349, created on 2015-06-15, closed on 2015-09-21)*3.2.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4348[v2.7] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790,...2019-07-23T13:51:50ZAlexander Belous[v2.7] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2014-8176, CVE-2015-4000)Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade crypt...Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade cryptography. This
vulnerability is known as Logjam (CVE-2015-4000).
OpenSSL has added protection for TLS clients by rejecting handshakes
with DH parameters shorter than 768 bits. This limit will be increased
to 1024 bits in a future release.
…
Malformed ECParameters causes infinite loop (CVE-2015-1788)
Severity: Moderate
When processing an ECParameters structure OpenSSL enters an infinite
loop if the curve specified is over a specially malformed binary
polynomial field.
This can be used to perform denial of service against any system which
processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with client
authentication enabled.
This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and
0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are
affected.
…
Exploitable out-of-bounds read in X509\_cmp\_time (CVE-2015-1789)
Severity: Moderate
X509\_cmp\_time does not properly check the length of the ASN1\_TIME
string and can read a few bytes out of bounds. In addition,
X509\_cmp\_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in a
DoS on applications that verify certificates or CRLs. TLS clients that
verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
Severity: Moderate
The PKCS\#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS\#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS\#7 data or otherwise parse PKCS\#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
CMS verify infinite loop with unknown hash function (CVE-2015-1792)
Severity: Moderate
When verifying a signedData message the CMS code can enter an infinite
loop if presented with an unknown hash function OID.
This can be used to perform denial of service against any system which
verifies signedData messages using the CMS code.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Race condition handling NewSessionTicket (CVE-2015-1791)
Severity: Low
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Invalid free in DTLS (CVE-2014-8176)
Severity: Moderate
This vulnerability does not affect current versions of OpenSSL. It
existed in previous OpenSSL versions and was fixed in June 2014.
If a DTLS peer receives application data between the ChangeCipherSpec
and Finished messages, buffering of such data may cause an invalid free,
resulting in a segmentation fault or potentially, memory corruption.
This issue affected older OpenSSL versions 1.0.1, 1.0.0 and 0.9.8.
…
Fix:
The latest security updates of OpenSSL (1.0.2b, 1.0.1n, 1.0.0s, 0.9.8zg)
fix all three issues. These releases also fix a number of
other security issues. Shortly after publishing these updates OpenSSL
issued another update (1.0.2c, 1.0.1o), because the versions contained
an ABI change which should not happen in minor releases.
…
References:
http://seclists.org/oss-sec/2015/q2/697
http://seclists.org/oss-sec/2015/q2/703
https://www.openssl.org/news/secadv\_20150611.txt
*(from redmine: issue id 4348, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4344Alpine 2.7.10Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4347[v3.0] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790,...2019-07-23T13:51:51ZAlexander Belous[v3.0] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2014-8176, CVE-2015-4000)Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade crypt...Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade cryptography. This
vulnerability is known as Logjam (CVE-2015-4000).
OpenSSL has added protection for TLS clients by rejecting handshakes
with DH parameters shorter than 768 bits. This limit will be increased
to 1024 bits in a future release.
…
Malformed ECParameters causes infinite loop (CVE-2015-1788)
Severity: Moderate
When processing an ECParameters structure OpenSSL enters an infinite
loop if the curve specified is over a specially malformed binary
polynomial field.
This can be used to perform denial of service against any system which
processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with client
authentication enabled.
This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and
0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are
affected.
…
Exploitable out-of-bounds read in X509\_cmp\_time (CVE-2015-1789)
Severity: Moderate
X509\_cmp\_time does not properly check the length of the ASN1\_TIME
string and can read a few bytes out of bounds. In addition,
X509\_cmp\_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in a
DoS on applications that verify certificates or CRLs. TLS clients that
verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
Severity: Moderate
The PKCS\#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS\#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS\#7 data or otherwise parse PKCS\#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
CMS verify infinite loop with unknown hash function (CVE-2015-1792)
Severity: Moderate
When verifying a signedData message the CMS code can enter an infinite
loop if presented with an unknown hash function OID.
This can be used to perform denial of service against any system which
verifies signedData messages using the CMS code.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Race condition handling NewSessionTicket (CVE-2015-1791)
Severity: Low
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Invalid free in DTLS (CVE-2014-8176)
Severity: Moderate
This vulnerability does not affect current versions of OpenSSL. It
existed in previous OpenSSL versions and was fixed in June 2014.
If a DTLS peer receives application data between the ChangeCipherSpec
and Finished messages, buffering of such data may cause an invalid free,
resulting in a segmentation fault or potentially, memory corruption.
This issue affected older OpenSSL versions 1.0.1, 1.0.0 and 0.9.8.
…
Fix:
The latest security updates of OpenSSL (1.0.2b, 1.0.1n, 1.0.0s, 0.9.8zg)
fix all three issues. These releases also fix a number of
other security issues. Shortly after publishing these updates OpenSSL
issued another update (1.0.2c, 1.0.1o), because the versions contained
an ABI change which should not happen in minor releases.
…
References:
http://seclists.org/oss-sec/2015/q2/697
http://seclists.org/oss-sec/2015/q2/703
https://www.openssl.org/news/secadv\_20150611.txt
*(from redmine: issue id 4347, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #43443.0.7Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4346[v3.1] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790,...2019-07-23T13:51:52ZAlexander Belous[v3.1] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2014-8176, CVE-2015-4000)Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade crypt...Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade cryptography. This
vulnerability is known as Logjam (CVE-2015-4000).
OpenSSL has added protection for TLS clients by rejecting handshakes
with DH parameters shorter than 768 bits. This limit will be increased
to 1024 bits in a future release.
…
Malformed ECParameters causes infinite loop (CVE-2015-1788)
Severity: Moderate
When processing an ECParameters structure OpenSSL enters an infinite
loop if the curve specified is over a specially malformed binary
polynomial field.
This can be used to perform denial of service against any system which
processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with client
authentication enabled.
This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and
0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are
affected.
…
Exploitable out-of-bounds read in X509\_cmp\_time (CVE-2015-1789)
Severity: Moderate
X509\_cmp\_time does not properly check the length of the ASN1\_TIME
string and can read a few bytes out of bounds. In addition,
X509\_cmp\_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in a
DoS on applications that verify certificates or CRLs. TLS clients that
verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
Severity: Moderate
The PKCS\#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS\#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS\#7 data or otherwise parse PKCS\#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
CMS verify infinite loop with unknown hash function (CVE-2015-1792)
Severity: Moderate
When verifying a signedData message the CMS code can enter an infinite
loop if presented with an unknown hash function OID.
This can be used to perform denial of service against any system which
verifies signedData messages using the CMS code.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Race condition handling NewSessionTicket (CVE-2015-1791)
Severity: Low
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Invalid free in DTLS (CVE-2014-8176)
Severity: Moderate
This vulnerability does not affect current versions of OpenSSL. It
existed in previous OpenSSL versions and was fixed in June 2014.
If a DTLS peer receives application data between the ChangeCipherSpec
and Finished messages, buffering of such data may cause an invalid free,
resulting in a segmentation fault or potentially, memory corruption.
This issue affected older OpenSSL versions 1.0.1, 1.0.0 and 0.9.8.
…
Fix:
The latest security updates of OpenSSL (1.0.2b, 1.0.1n, 1.0.0s, 0.9.8zg)
fix all three issues. These releases also fix a number of
other security issues. Shortly after publishing these updates OpenSSL
issued another update (1.0.2c, 1.0.1o), because the versions contained
an ABI change which should not happen in minor releases.
…
References:
http://seclists.org/oss-sec/2015/q2/697
http://seclists.org/oss-sec/2015/q2/703
https://www.openssl.org/news/secadv\_20150611.txt
*(from redmine: issue id 4346, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #43443.1.5Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4345[v3.2] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790,...2019-07-23T13:51:54ZAlexander Belous[v3.2] openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2014-8176, CVE-2015-4000)Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade crypt...Bugs:
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man-in-the-middle attacker
to downgrade vulnerable TLS connections using ephemeral
Diffie-Hellman key exchange to 512-bit export-grade cryptography. This
vulnerability is known as Logjam (CVE-2015-4000).
OpenSSL has added protection for TLS clients by rejecting handshakes
with DH parameters shorter than 768 bits. This limit will be increased
to 1024 bits in a future release.
…
Malformed ECParameters causes infinite loop (CVE-2015-1788)
Severity: Moderate
When processing an ECParameters structure OpenSSL enters an infinite
loop if the curve specified is over a specially malformed binary
polynomial field.
This can be used to perform denial of service against any system which
processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with client
authentication enabled.
This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and
0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are
affected.
…
Exploitable out-of-bounds read in X509\_cmp\_time (CVE-2015-1789)
Severity: Moderate
X509\_cmp\_time does not properly check the length of the ASN1\_TIME
string and can read a few bytes out of bounds. In addition,
X509\_cmp\_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in a
DoS on applications that verify certificates or CRLs. TLS clients that
verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
Severity: Moderate
The PKCS\#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS\#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS\#7 data or otherwise parse PKCS\#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
CMS verify infinite loop with unknown hash function (CVE-2015-1792)
Severity: Moderate
When verifying a signedData message the CMS code can enter an infinite
loop if presented with an unknown hash function OID.
This can be used to perform denial of service against any system which
verifies signedData messages using the CMS code.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Race condition handling NewSessionTicket (CVE-2015-1791)
Severity: Low
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and
0.9.8.
…
Invalid free in DTLS (CVE-2014-8176)
Severity: Moderate
This vulnerability does not affect current versions of OpenSSL. It
existed in previous OpenSSL versions and was fixed in June 2014.
If a DTLS peer receives application data between the ChangeCipherSpec
and Finished messages, buffering of such data may cause an invalid free,
resulting in a segmentation fault or potentially, memory corruption.
This issue affected older OpenSSL versions 1.0.1, 1.0.0 and 0.9.8.
…
Fix:
The latest security updates of OpenSSL (1.0.2b, 1.0.1n, 1.0.0s, 0.9.8zg)
fix all three issues. These releases also fix a number of
other security issues. Shortly after publishing these updates OpenSSL
issued another update (1.0.2c, 1.0.1o), because the versions contained
an ABI change which should not happen in minor releases.
…
References:
http://seclists.org/oss-sec/2015/q2/697
http://seclists.org/oss-sec/2015/q2/703
https://www.openssl.org/news/secadv\_20150611.txt
*(from redmine: issue id 4345, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #43443.2.1Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4344openssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-20...2019-07-23T13:51:54ZAlexander Belousopenssl: multiple issues (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2014-8176, CVE-2015-4000)Bugs:
>DHE man-in-the-middle protection (Logjam)
>
>
>A vulnerability in the TLS protocol allows a man-in-the-middle
attacker to downgrade vulnerable TLS connections using ephemeral
>Diffie-Hellman key exchange to 512-bit export-...Bugs:
>DHE man-in-the-middle protection (Logjam)
>
>
>A vulnerability in the TLS protocol allows a man-in-the-middle
attacker to downgrade vulnerable TLS connections using ephemeral
>Diffie-Hellman key exchange to 512-bit export-grade cryptography.
This vulnerability is known as Logjam (CVE-2015-4000).
>
>OpenSSL has added protection for TLS clients by rejecting
handshakes with DH parameters shorter than 768 bits. This limit will be
increased to 1024 bits in a future release.
>
>…
>
>Malformed ECParameters causes infinite loop (CVE-2015-1788)
>
>
>Severity: Moderate
>
>When processing an ECParameters structure OpenSSL enters an
infinite loop if the curve specified is over a specially malformed
binary polynomial field.
>
>This can be used to perform denial of service against any system
which processes public keys, certificate requests or
>certificates. This includes TLS clients and TLS servers with client
authentication enabled.
>
>This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0
and 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are
affected.
>
>…
>
>
>Exploitable out-of-bounds read in X509\_cmp\_time (CVE-2015-1789)
>
>
>Severity: Moderate
>
>X509\_cmp\_time does not properly check the length of the
ASN1\_TIME string and can read a few bytes out of bounds. In addition,
>X509\_cmp\_time accepts an arbitrary number of fractional seconds
in the time string.
>
>An attacker can use this to craft malformed certificates and CRLs
of various sizes and potentially cause a segmentation fault, resulting
in a DoS on applications that verify certificates or CRLs. TLS clients
that verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
>
>This issue affects all current OpenSSL versions: 1.0.2, 1.0.1,
1.0.0 and 0.9.8.
>
>…
>
>PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
>
>
>Severity: Moderate
>
>The PKCS\#7 parsing code does not handle missing inner
EncryptedContent correctly. An attacker can craft malformed
ASN.1-encoded PKCS\#7 blobs with missing content and trigger a NULL
pointer dereference on parsing.
>
>Applications that decrypt PKCS\#7 data or otherwise parse PKCS\#7
structures from untrusted sources are affected. OpenSSL clients and
>servers are not affected.
>
>This issue affects all current OpenSSL versions: 1.0.2, 1.0.1,
1.0.0 and 0.9.8.
>
>…
>
>CMS verify infinite loop with unknown hash function
(CVE-2015-1792)
>
>
>Severity: Moderate
>
>When verifying a signedData message the CMS code can enter an
infinite loop if presented with an unknown hash function OID.
>
>This can be used to perform denial of service against any system
which verifies signedData messages using the CMS code.
>
>This issue affects all current OpenSSL versions: 1.0.2, 1.0.1,
1.0.0 and 0.9.8.
>
>…
>
>Race condition handling NewSessionTicket (CVE-2015-1791)
>
>Severity: Low
>
>If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
>
>This issue affects all current OpenSSL versions: 1.0.2, 1.0.1,
1.0.0 and 0.9.8.
>
>…
>
>Invalid free in DTLS (CVE-2014-8176)
>
>
>Severity: Moderate
>
>This vulnerability does not affect current versions of OpenSSL. It
existed in previous OpenSSL versions and was fixed in June 2014.
>
>If a DTLS peer receives application data between the
ChangeCipherSpec and Finished messages, buffering of such data may cause
an invalid free, resulting in a segmentation fault or potentially,
memory corruption.
>
>This issue affected older OpenSSL versions 1.0.1, 1.0.0 and
0.9.8.
…
Fix:
>The latest security updates of OpenSSL (1.0.2b, 1.0.1n, 1.0.0s,
0.9.8zg) fix all three issues. These releases also fix a number of
>other security issues. **Shortly after publishing these updates
OpenSSL issued another update (1.0.2c, 1.0.1o), because the versions
contained an ABI change which should not happen in minor releases.**
…
References:
http://seclists.org/oss-sec/2015/q2/697
http://seclists.org/oss-sec/2015/q2/703
https://www.openssl.org/news/secadv\_20150611.txt
*(from redmine: issue id 4344, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* child #4345
* child #4346
* child #4347
* child #4348https://gitlab.alpinelinux.org/alpine/aports/-/issues/4343[v2.7] wpa_supplicant: vulnerability was found in peer implementation (CVE-20...2019-07-23T13:51:55ZAlexander Belous[v2.7] wpa_supplicant: vulnerability was found in peer implementation (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is...A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is long enough to include all the fields. This results
in
buffer read overflow of up to couple of hundred bytes.
The exact result of this buffer overflow depends on the platform and
may
be either not noticeable (i.e., authentication fails due to invalid
data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.
Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself
would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly
step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.
Vulnerable versions/configurations
hostapd v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.
wpa\_supplicant v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build
configuration (wpa\_supplicant/.config) and EAP-pwd enabled in a
network
profile at runtime.
Acknowledgments
Thanks to Kostya Kortchinsky of Google Security Team for discovering
and
reporting this issue.
Possible mitigation steps
\- Merge the following commits and rebuild hostapd/wpa\_supplicant:
CVE-2015-4143:
EAP-pwd peer: Fix payload length validation for Commit and Confirm
EAP-pwd server: Fix payload length validation for Commit and Confirm
CVE-2015-4144 (length check) + CVE-2015-4145 (memory leak):
EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
EAP-pwd server: Fix Total-Length parsing for fragment reassembly
CVE-2015-4146:
EAP-pwd peer: Fix asymmetric fragmentation behavior
These patches are available from http://w1.fi/security/2015-4/
\- Update to hostapd/wpa\_supplicant v2.5 or newer, once available
\- Remove CONFIG\_EAP\_PWD=y from build configuration
\- Disable EAP-pwd in runtime configuration
Reference:
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
http://www.openwall.com/lists/oss-security/2015/05/31/6
*(from redmine: issue id 4343, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4339
* Changesets:
* Revision d68ca09574357db36d33cace25c2b307dc8759d5 by Natanael Copa on 2015-06-15T12:11:09Z:
```
main/wpa_supplicant: various security fixes
CVE-2015-4141
CVE-2015-4142
CVE-2015-4143
CVE-2015-4144
CVE-2015-4145
CVE-2015-4146
fixes #4343
fixes #4267
```Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4342[v3.0] wpa_supplicant: vulnerability was found in peer implementation (CVE-20...2019-07-23T13:51:57ZAlexander Belous[v3.0] wpa_supplicant: vulnerability was found in peer implementation (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is...A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is long enough to include all the fields. This results
in
buffer read overflow of up to couple of hundred bytes.
The exact result of this buffer overflow depends on the platform and
may
be either not noticeable (i.e., authentication fails due to invalid
data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.
Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself
would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly
step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.
Vulnerable versions/configurations
hostapd v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.
wpa\_supplicant v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build
configuration (wpa\_supplicant/.config) and EAP-pwd enabled in a
network
profile at runtime.
Acknowledgments
Thanks to Kostya Kortchinsky of Google Security Team for discovering
and
reporting this issue.
Possible mitigation steps
\- Merge the following commits and rebuild hostapd/wpa\_supplicant:
CVE-2015-4143:
EAP-pwd peer: Fix payload length validation for Commit and Confirm
EAP-pwd server: Fix payload length validation for Commit and Confirm
CVE-2015-4144 (length check) + CVE-2015-4145 (memory leak):
EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
EAP-pwd server: Fix Total-Length parsing for fragment reassembly
CVE-2015-4146:
EAP-pwd peer: Fix asymmetric fragmentation behavior
These patches are available from http://w1.fi/security/2015-4/
\- Update to hostapd/wpa\_supplicant v2.5 or newer, once available
\- Remove CONFIG\_EAP\_PWD=y from build configuration
\- Disable EAP-pwd in runtime configuration
Reference:
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
http://www.openwall.com/lists/oss-security/2015/05/31/6
*(from redmine: issue id 4342, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4339
* Changesets:
* Revision a190cd664abf51fb096ce04c5833b64815b5a23a by Natanael Copa on 2015-06-15T12:02:59Z:
```
main/wpa_supplicant: upgrade to 2.3 and various security fixes
CVE-2014-3686
CVE-2015-4141
CVE-2015-4142
CVE-2015-4143
CVE-2015-4144
CVE-2015-4145
CVE-2015-4146
fixes #4342
fixes #4268
fixes #3522
```3.0.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/4341[v3.1] wpa_supplicant: vulnerability was found in peer implementation (CVE-20...2019-07-23T13:51:58ZAlexander Belous[v3.1] wpa_supplicant: vulnerability was found in peer implementation (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is...A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa\_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is long enough to include all the fields. This results
in
buffer read overflow of up to couple of hundred bytes.
The exact result of this buffer overflow depends on the platform and
may
be either not noticeable (i.e., authentication fails due to invalid
data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.
Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself
would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly
step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.
Vulnerable versions/configurations
hostapd v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.
wpa\_supplicant v1.0-v2.4 with CONFIG\_EAP\_PWD=y in the build
configuration (wpa\_supplicant/.config) and EAP-pwd enabled in a
network
profile at runtime.
Acknowledgments
Thanks to Kostya Kortchinsky of Google Security Team for discovering
and
reporting this issue.
Possible mitigation steps
\- Merge the following commits and rebuild hostapd/wpa\_supplicant:
CVE-2015-4143:
EAP-pwd peer: Fix payload length validation for Commit and Confirm
EAP-pwd server: Fix payload length validation for Commit and Confirm
CVE-2015-4144 (length check) + CVE-2015-4145 (memory leak):
EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
EAP-pwd server: Fix Total-Length parsing for fragment reassembly
CVE-2015-4146:
EAP-pwd peer: Fix asymmetric fragmentation behavior
These patches are available from http://w1.fi/security/2015-4/
\- Update to hostapd/wpa\_supplicant v2.5 or newer, once available
\- Remove CONFIG\_EAP\_PWD=y from build configuration
\- Disable EAP-pwd in runtime configuration
Reference:
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
http://www.openwall.com/lists/oss-security/2015/05/31/6
*(from redmine: issue id 4341, created on 2015-06-15, closed on 2015-06-16)*
* Relations:
* parent #4339
* Changesets:
* Revision 3a936bc794c7c46039d4ec88a1f93621e1e9eb86 by Natanael Copa on 2015-06-15T11:51:54Z:
```
main/wpa_supplicant: various security fixes
CVE-2015-4141
CVE-2015-4142
CVE-2015-4143
CVE-2015-4144
CVE-2015-4145
CVE-2015-4146
fixes #4341
fixes #4269
```3.1.5Natanael CopaNatanael Copa