Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2016-749

Related Vulnerabilities: CVE-2016-6304  

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. The <a href="https://www.openssl.org/news/secadv/20160922.txt">OpenSSL Security Advisory [22 Sep 2016]</a> refers to additional CVEs. CVE-2016-6305 does not affect OpenSSL 1.0.1. The remaining CVEs listed will be fixed in a later update. The <a href="https://www.openssl.org/news/secadv/20160926.txt">OpenSSL Security Advisory [26 Sep 2016]</a> refers to two additional CVEs which do not affect OpenSSL 1.0.1. (Updated 2016-09-26: Included a reference to the 26 Sep 2016 upstream advisory.)

Source

ALAS-2016-749

Amazon Linux AMI Security Advisory: ALAS-2016-749
Advisory Release Date: 2016-09-22 16:00 Pacific
Advisory Updated Date: 2016-09-26 12:00 Pacific
Severity: Important
References: CVE-2016-6304 
Issue Overview:

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support.

The <a href="https://www.openssl.org/news/secadv/20160922.txt">OpenSSL Security Advisory [22 Sep 2016]</a> refers to additional CVEs. CVE-2016-6305 does not affect OpenSSL 1.0.1. The remaining CVEs listed will be fixed in a later update.

The <a href="https://www.openssl.org/news/secadv/20160926.txt">OpenSSL Security Advisory [26 Sep 2016]</a> refers to two additional CVEs which do not affect OpenSSL 1.0.1.

(Updated 2016-09-26: Included a reference to the 26 Sep 2016 upstream advisory.)


Affected Packages:

openssl


Issue Correction:
Run yum update openssl to update your system.

New Packages:
i686:
    openssl-devel-1.0.1k-15.95.amzn1.i686
    openssl-debuginfo-1.0.1k-15.95.amzn1.i686
    openssl-perl-1.0.1k-15.95.amzn1.i686
    openssl-static-1.0.1k-15.95.amzn1.i686
    openssl-1.0.1k-15.95.amzn1.i686

src:
    openssl-1.0.1k-15.95.amzn1.src

x86_64:
    openssl-static-1.0.1k-15.95.amzn1.x86_64
    openssl-perl-1.0.1k-15.95.amzn1.x86_64
    openssl-debuginfo-1.0.1k-15.95.amzn1.x86_64
    openssl-devel-1.0.1k-15.95.amzn1.x86_64
    openssl-1.0.1k-15.95.amzn1.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started