ID de Prueba:	1.3.6.1.4.1.25623.1.0.123140
Categoría:	Oracle Linux Local Security Checks
Título:	Oracle: Security Advisory (ELSA-2015-3022)
Resumen:	The remote host is missing an update for the 'openssl-fips' package(s) announced via the ELSA-2015-3022 advisory.
Descripción:	Summary: The remote host is missing an update for the 'openssl-fips' package(s) announced via the ELSA-2015-3022 advisory. Vulnerability Insight: [1.0.1m-2.0.1] - update to upstream 1.0.1m - update to fips canister 2.0.9 - regenerated below patches openssl-1.0.1-beta2-rpmbuild.patch openssl-1.0.1m-rhcompat.patch openssl-1.0.1m-ecc-suiteb.patch openssl-1.0.1m-fips-mode.patch openssl-1.0.1m-version.patch openssl-1.0.1m-evp-devel.patch [1.0.1j-2.0.4] - [Orabug 20182267] The openssl-fips-devel package should Provide: openssl-devel and openssl-devel(x86-64) like the standard -devel package - The openssl-fips-devel package should include fips.h and fips_rand.h for apps that want to build against FIPS* APIs [1.0.1j-2.0.3] - [Orabug 20086847] reintroduce patch openssl-1.0.1e-ecc-suiteb.patch, update ec_curve.c which gets copied into build tree to match the patch (ie only have curves which are advertised). The change items from the original patch are as follows: - do not advertise ECC curves we do not support - fix CPU identification on Cyrix CPUs [1.0.1j-2.0.2] - update README.FIPS with step-by-step install instructions [1.0.1j-2.0.1] - update to upstream 1.0.1j - change name to openssl-fips - change Obsoletes: openssl to Conflicts: openssl - add Provides: openssl [1.0.1i-2.0.3.fips] - update to fips canister 2.0.8 to remove Dual EC DRBG - run gcc -v so the gcc build version is captured in the build log [1.0.1i-2.0.2.fips] - flip EVP_CIPH_* flag bits for compatibility with original RH patched pkg [1.0.1i-2.0.1.fips] - build against upstream 1.0.1i - build against fips validated canister 2.0.7 - add patch to support fips=1 - rename pkg to openssl-fips and Obsolete openssl [1.0.1e-16.14] - fix CVE-2010-5298 - possible use of memory after free - fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment - fix CVE-2014-0198 - possible NULL pointer dereference - fix CVE-2014-0221 - DoS from invalid DTLS handshake packet - fix CVE-2014-0224 - SSL/TLS MITM vulnerability - fix CVE-2014-3470 - client-side DoS when using anonymous ECDH [1.0.1e-16.7] - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension [1.0.1e-16.4] - fix CVE-2013-4353 - Invalid TLS handshake crash [1.0.1e-16.3] - fix CVE-2013-6450 - possible MiTM attack on DTLS1 [1.0.1e-16.2] - fix CVE-2013-6449 - crash when version in SSL structure is incorrect [1.0.1e-16.1] - add back some no-op symbols that were inadvertently dropped [1.0.1e-16] - do not advertise ECC curves we do not support - fix CPU identification on Cyrix CPUs [1.0.1e-15] - make DTLS1 work in FIPS mode - avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode [1.0.1e-14] - installation of dracut-fips marks that the FIPS module is installed [1.0.1e-13] - avoid dlopening libssl.so from libcrypto [1.0.1e-12] - fix small memory leak in FIPS aes selftest - fix segfault in openssl speed hmac in the FIPS mode [1.0.1e-11] - document the nextprotoneg option in manual pages original patch by Hubert Kario [1.0.1e-9] - always perform the FIPS ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'openssl-fips' package(s) on Oracle Linux 6. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2015-0209 http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html BugTraq ID: 73239 http://www.securityfocus.com/bid/73239 Debian Security Information: DSA-3197 (Google Search) http://www.debian.org/security/2015/dsa-3197 http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152844.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152733.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152734.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157177.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156823.html FreeBSD Security Advisory: FreeBSD-SA-15:06 https://www.freebsd.org/security/advisories/FreeBSD-SA-15%3A06.openssl.asc https://security.gentoo.org/glsa/201503-11 HPdes Security Advisory: HPSBGN03306 http://marc.info/?l=bugtraq&m=142841429220765&w=2 HPdes Security Advisory: HPSBMU03380 http://marc.info/?l=bugtraq&m=143748090628601&w=2 HPdes Security Advisory: HPSBMU03397 http://marc.info/?l=bugtraq&m=144050297101809&w=2 HPdes Security Advisory: HPSBMU03409 http://marc.info/?l=bugtraq&m=144050155601375&w=2 HPdes Security Advisory: HPSBMU03413 http://marc.info/?l=bugtraq&m=144050254401665&w=2 HPdes Security Advisory: HPSBUX03334 http://marc.info/?l=bugtraq&m=143213830203296&w=2 HPdes Security Advisory: SSRT102000 http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 http://www.mandriva.com/security/advisories?name=MDVSA-2015:063 RedHat Security Advisories: RHSA-2015:0715 http://rhn.redhat.com/errata/RHSA-2015-0715.html RedHat Security Advisories: RHSA-2015:0716 http://rhn.redhat.com/errata/RHSA-2015-0716.html RedHat Security Advisories: RHSA-2015:0752 http://rhn.redhat.com/errata/RHSA-2015-0752.html RedHat Security Advisories: RHSA-2016:1089 http://rhn.redhat.com/errata/RHSA-2016-1089.html RedHat Security Advisories: RHSA-2016:2957 http://rhn.redhat.com/errata/RHSA-2016-2957.html http://www.securitytracker.com/id/1031929 SuSE Security Announcement: SUSE-SU-2015:0541 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00022.html SuSE Security Announcement: openSUSE-SU-2015:0554 (Google Search) http://lists.opensuse.org/opensuse-updates/2015-03/msg00062.html SuSE Security Announcement: openSUSE-SU-2015:1277 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html SuSE Security Announcement: openSUSE-SU-2016:0640 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html http://www.ubuntu.com/usn/USN-2537-1 Common Vulnerability Exposure (CVE) ID: CVE-2015-0286 http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html BugTraq ID: 73225 http://www.securityfocus.com/bid/73225 http://www.securitytracker.com/id/1032917 SuSE Security Announcement: SUSE-SU-2015:0578 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html Common Vulnerability Exposure (CVE) ID: CVE-2015-0287 BugTraq ID: 73227 http://www.securityfocus.com/bid/73227 RedHat Security Advisories: RHSA-2015:0800 http://rhn.redhat.com/errata/RHSA-2015-0800.html SuSE Security Announcement: SUSE-SU-2016:0678 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html Common Vulnerability Exposure (CVE) ID: CVE-2015-0288 BugTraq ID: 73237 http://www.securityfocus.com/bid/73237 Common Vulnerability Exposure (CVE) ID: CVE-2015-0289 BugTraq ID: 73231 http://www.securityfocus.com/bid/73231 Common Vulnerability Exposure (CVE) ID: CVE-2015-0292 BugTraq ID: 73228 http://www.securityfocus.com/bid/73228 Common Vulnerability Exposure (CVE) ID: CVE-2015-0293 BugTraq ID: 73232 http://www.securityfocus.com/bid/73232 SuSE Security Announcement: SUSE-SU-2016:0617 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html SuSE Security Announcement: SUSE-SU-2016:0620 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html SuSE Security Announcement: SUSE-SU-2016:0621 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html SuSE Security Announcement: SUSE-SU-2016:0624 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html SuSE Security Announcement: SUSE-SU-2016:0631 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html SuSE Security Announcement: SUSE-SU-2016:0641 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html SuSE Security Announcement: SUSE-SU-2016:1057 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html SuSE Security Announcement: openSUSE-SU-2016:0628 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html SuSE Security Announcement: openSUSE-SU-2016:0637 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html SuSE Security Announcement: openSUSE-SU-2016:0638 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html SuSE Security Announcement: openSUSE-SU-2016:0720 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html
Copyright	Copyright (C) 2015 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.