Bugzilla – Bug 922500
VUL-1: CVE-2015-0289: openssl: PKCS7 NULL pointer dereferences
Last modified: 2022-02-16 21:18:14 UTC
bugbot adjusting priority
Created attachment 627153 [details] patch for openssl 0.9.8
QA: no reproducer. :(
http://openssl.org/news/secadv_20150319.txt PKCS7 NULL pointer dereferences (CVE-2015-0289) =============================================== Severity: Moderate The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf. This issue was reported to OpenSSL on February 16th 2015 by Michal Zalewski (Google) and a fix developed by Emilia Käsper of the OpenSSL development team.
openSUSE updates submitted, reassigning to security-team.
This is an autogenerated message for OBS integration: This bug (922500) was mentioned in https://build.opensuse.org/request/show/291605 13.2+13.1 / openssl https://build.opensuse.org/request/show/291607 Factory / openssl
SUSE-SU-2015:0541-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 919648,920236,922488,922496,922499,922500 CVE References: CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): openssl-1.0.1i-20.1 SUSE Linux Enterprise Server 12 (src): openssl-1.0.1i-20.1 SUSE Linux Enterprise Desktop 12 (src): openssl-1.0.1i-20.1
SUSE-SU-2015:0543-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 920236,922488,922496,922499,922500,922501 CVE References: CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293 Sources used: SUSE Linux Enterprise for SAP Applications 11 SP1 (src): compat-openssl097g-0.9.7g-146.22.29.1
SUSE-SU-2015:0545-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 915976,919648,920236,922488,922496,922499,922500,922501 CVE References: CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): openssl-0.9.8j-0.70.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): openssl-0.9.8j-0.70.1
SUSE-SU-2015:0546-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 919648,920236,922488,922496,922499,922500,922501 CVE References: CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293 Sources used: SUSE Linux Enterprise Security Module 11 SP3 (src): openssl1-1.0.1g-0.26.1
SUSE-SU-2015:0547-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 922488,922496,922499,922500,922501 CVE References: CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293 Sources used: SUSE Linux Enterprise Desktop 11 SP3 (src): compat-openssl097g-0.9.7g-146.22.29.1 SLES for SAP Applications (src): compat-openssl097g-0.9.7g-146.22.29.1
SUSE-SU-2015:0548-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 922488,922496,922499,922500,922501 CVE References: Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): compat-openssl097g-0.9.7g-13.29.1
SUSE-SU-2015:0549-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 919648,920236,922488,922496,922499,922500,922501 CVE References: Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): openssl-0.9.8a-18.90.1
SUSE-SU-2015:0553-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 915976,919648,920236,922488,922496,922499,922500,922501 CVE References: CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293 Sources used: SUSE Linux Enterprise Module for Legacy Software 12 (src): compat-openssl098-0.9.8j-73.2
SUSE-SU-2015:0553-2: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 915976,919648,920236,922488,922496,922499,922500,922501 CVE References: CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293 Sources used: SUSE Linux Enterprise Desktop 12 (src): compat-openssl098-0.9.8j-73.2
openSUSE-SU-2015:0554-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 919648,920236,922488,922496,922499,922500 CVE References: CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293 Sources used: openSUSE 13.2 (src): openssl-1.0.1k-2.20.1 openSUSE 13.1 (src): openssl-1.0.1k-11.68.1
SUSE-SU-2015:0546-2: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 919648,920236,922488,922496,922499,922500,922501 CVE References: CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293 Sources used: SLE CLIENT TOOLS 10 for x86_64 (src): openssl-0.9.8a-18.90.1 SLE CLIENT TOOLS 10 for s390x (src): openssl-0.9.8a-18.90.1 SLE CLIENT TOOLS 10 (src): openssl-0.9.8a-18.90.1
SUSE-SU-2015:0545-2: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 915976,919648,920236,922488,922496,922499,922500,922501 CVE References: CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293 Sources used: SUSE Studio Onsite 1.3 (src): openssl-0.9.8j-0.70.1 SUSE Manager 1.7 for SLE 11 SP2 (src): openssl-0.9.8j-0.70.1 SUSE Linux Enterprise Software Development Kit 11 SP3 (src): openssl-0.9.8j-0.70.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): openssl-0.9.8j-0.70.1 SUSE Linux Enterprise Server 11 SP3 (src): openssl-0.9.8j-0.70.1 SUSE Linux Enterprise Desktop 11 SP3 (src): openssl-0.9.8j-0.70.1
released
SUSE-SU-2015:0578-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 802184,880891,890764,901223,901277,905106,912014,912015,912018,912293,912296,920236,922488,922496,922499,922500,922501 CVE References: Sources used: SUSE Linux Enterprise for SAP Applications 11 SP2 (src): compat-openssl097g-0.9.7g-146.22.29.1
openSUSE-SU-2015:1277-1: An update that solves 16 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 912015,912018,912292,912293,912296,919648,920236,922496,922499,922500,931600,934487,934489,934491,934493,934494,937891 CVE References: CVE-2014-3570,CVE-2014-3572,CVE-2014-8176,CVE-2014-8275,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1792,CVE-2015-4000 Sources used: openSUSE 13.2 (src): libressl-2.2.1-2.3.1
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available. Category: feature (moderate) Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668 CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712 JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135 Sources used: SUSE Manager Tools 12-BETA (src): venv-salt-minion-3002.2-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.