Wind River Support Network

HomeSafety and Security NoticesWind River Linux Security Alert for several openssl security issues
Recommended

Wind River Linux Security Alert for several openssl security issues

Released: Mar 1, 2016     Updated: Mar 2, 2016

Summary

There are eight new reported and fixed CVE issues in OpenSSL to be released on 20160301. They are: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704.


Affected Product Versions

Wind River Linux 7, Wind River Linux 8, Wind River Linux 5, Wind River Linux 6

Downloads


Defects


CVEs


Description

Note: Wind River Linux 5 has two versions of OpenSSL available 1.0.0 and 1.0.1. Version 1.0.0 is the default. For OpenSSL 1.0.0 only CVE-2016-0800, CVE-2016-0703 and CVE-2016-0704 apply.

There are eight CVE issues in the March 1st 2016 security announcement from OpenSSL.

CVE-2016-0800 - Cross-protocol attack on TLS using SSLv2 (DROWN)

This affects OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.9.8 and all earlier versions.

This issue requires the previously release patch to CVE-2015-3197 to also be applied.

OpenSSL 1.0.2 and 1.0.1 is further patched to disable the SSLv2 default build, default negotiation and weak ciphers (SSLv3 and above).

OpenSSL prior to 1.0.1 does not have a separate CVE-2016-0800 patch.

CVE-2016-0705 - Double-free in DSA code

This affects OpenSSL 1.0.2 and 1.0.1.

CVE-2016-0798 - Memory leak in SRP database lookups

This affects OpenSSL 1.0.2 and 1.0.1.

CVE-2016-0797 - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption

This affects OpenSSL 1.0.2 and 1.0.1.

CVE-2016-0799 - Fix memory issues in BIO_*printf functions

This affects OpenSSL 1.0.2 and 1.0.1.

CVE-2016-0702 - Side channel attack on modular exponentiation

This affects OpenSSL 1.0.2 and 1.0.1.

CVE-2016-0703 - Divide-and-conquer session key recovery in SSLv2

This affects OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.9.8 and all earlier versions.

This item was fixed by a previous update for CVE-2015-0293. No additional patches are required.

CVE-2016-0704 - Bleichenbacher oracle in SSLv2

This affects OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.9.8 and all earlier versions.

This item was fixed by a previous update for CVE-2015-0293. No additional patches are required.

Current state:

Patch for CVE-2016-0798 still in progress. All other patches have been uploaded


Installation Notes

make bbs

bitbake openssl -c patch

Then go to the source tree of the openssl:

patch -p1 < 0001-WRLx-CVE-2016xxxx.patch

patch -p1 < 0002-WRLx-CVE-2016xxxx.patch

patch -p1 < 0003-WRLx-CVE-2016xxxx.patch

Back to bitbake_build directory:

bitbake openssl -C configure


Live chat
Online