svn commit: r422603 - head/security/vuxml

Bernard Spil brnrd at FreeBSD.org
Thu Sep 22 12:17:06 UTC 2016 

Author: brnrd
Date: Thu Sep 22 12:17:04 2016
New Revision: 422603
URL: https://svnweb.freebsd.org/changeset/ports/422603

Log:
  security/vuxml: Add new OpenSSL 1.0.2 and 1.1.0 vulnerabilities
  
    - 2016-09-22 security advisory

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Sep 22 11:26:48 2016	(r422602)
+++ head/security/vuxml/vuln.xml	Thu Sep 22 12:17:04 2016	(r422603)
@@ -58,6 +58,63 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="43eaa656-80bc-11e6-bf52-b499baebfeaf">
+    <topic>OpenSSL -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>openssl-devel</name>
+	<range><ge>1.1.0</ge><lt>1.1.0_1</lt></range>
+      </package>
+      <package>
+	<name>openssl</name>
+	<range><lt>1.0.2_16,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>OpenSSL reports:</p>
+	<blockquote cite="https://www.openssl.org/news/secadv/20160922.txt">
+	  <p>High: OCSP Status Request extension unbounded memory growth</p>
+	  <p>SSL_peek() hang on empty record</p>
+	  <p>SWEET32 Mitigation</p>
+	  <p>OOB write in MDC2_Update()</p>
+	  <p>Malformed SHA512 ticket DoS</p>
+	  <p>OOB write in BN_bn2dec()</p>
+	  <p>OOB read in TS_OBJ_print_bio()</p>
+	  <p>Pointer arithmetic undefined behaviour</p>
+	  <p>Constant time flag not preserved in DSA signing</p>
+	  <p>DTLS buffered message DoS</p>
+	  <p>DTLS replay protection DoS</p>
+	  <p>Certificate message OOB reads</p>
+	  <p>Excessive allocation of memory in tls_get_message_header()</p>
+	  <p>Excessive allocation of memory in dtls1_preprocess_fragment()</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://www.openssl.org/news/secadv/20160922.txt</url>
+      <cvename>CVE-2016-6304</cvename>
+      <cvename>CVE-2016-6305</cvename>
+      <cvename>CVE-2016-2183</cvename>
+      <cvename>CVE-2016-6303</cvename>
+      <cvename>CVE-2016-6302</cvename>
+      <cvename>CVE-2016-2182</cvename>
+      <cvename>CVE-2016-2180</cvename>
+      <cvename>CVE-2016-2177</cvename>
+      <cvename>CVE-2016-2178</cvename>
+      <cvename>CVE-2016-2179</cvename>
+      <cvename>CVE-2016-2181</cvename>
+      <cvename>CVE-2016-6306</cvename>
+      <cvename>CVE-2016-6307</cvename>
+      <cvename>CVE-2016-6308</cvename>
+      <cvename>CVE-2016-</cvename>
+    </references>
+    <dates>
+      <discovery>2016-09-22</discovery>
+      <entry>2016-09-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="e78261e4-803d-11e6-a590-14dae9d210b8">
     <topic>irssi -- heap corruption and missing boundary checks</topic>
     <affects>

More information about the svn-ports-head mailing list