PDA

View Full Version : openssl-0.9.8j-0.58.1 and CVE-2014-0224



jeffisaacs
11-Jun-2014, 23:15
Looking at Novell's web site, it says we have to be at openssl-0.9.8j-0.58.1 or greater to be in the clear for CVE-2014-0224 (openssl), even though it says in the description "OpenSSL before 0.9.8za" is vulnerable. openssl-0.9.8j-0.58.1 is listed in the fixed package versions, and that is the version we are at, but I wanted to verify. Doesn't 0.9.8j come before 0.9.8za?

The Novell advisory is at the following url:

http://support.novell.com/security/cve/CVE-2014-0224.html

malcolmlewis
12-Jun-2014, 00:00
On Wed 11 Jun 2014 10:24:01 PM CDT, jeffisaacs wrote:


Looking at Novell's web site, it says we have to be at
openssl-0.9.8j-0.58.1 or greater to be in the clear for CVE-2014-0224
(openssl), even though it says in the description "OpenSSL before
0.9.8za" is vulnerable. openssl-0.9.8j-0.58.1 is listed in the fixed
package versions, and that is the version we are at, but I wanted to
verify. Doesn't 0.9.8j come before 0.9.8za?

The Novell advisory is at the following url:

http://support.novell.com/security/cve/CVE-2014-0224.html




Hi
Better to refer to the SUSE one ;)
https://www.suse.com/support/update/announcement/2014/suse-su-20140759-1.html

I would guess that's a typo should be an 'a' rather than 'za' referring
to the other SUSE releases which you can see from the list here;
https://www.suse.com/support/security/advisories/

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-11-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

smflood
16-Jun-2014, 15:06
On 12/06/2014 00:00, malcolmlewis wrote:

> I would guess that's a typo should be an 'a' rather than 'za' referring
> to the other SUSE releases which you can see from the list here;
> https://www.suse.com/support/security/advisories/

The reference to 'za' is not a typo - OpenSSL 0.9.8za is the latest
version of the OpenSSL 0.9.8 branch available via openssl.org.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

smflood
16-Jun-2014, 15:13
On 11/06/2014 23:24, jeffisaacs wrote:

> Looking at Novell's web site, it says we have to be at
> openssl-0.9.8j-0.58.1 or greater to be in the clear for CVE-2014-0224
> (openssl), even though it says in the description "OpenSSL before
> 0.9.8za" is vulnerable. openssl-0.9.8j-0.58.1 is listed in the fixed
> package versions, and that is the version we are at, but I wanted to
> verify. Doesn't 0.9.8j come before 0.9.8za?
>
> The Novell advisory is at the following url:
>
> http://support.novell.com/security/cve/CVE-2014-0224.html

Whilst at first glance the updated OpenSSL 0.9.8j-0.58.1 would appear to
still be vulnerable given the version number it's why you should never
simply trust the version number when checking for vulnerabilities. For
stability reasons SUSE backport security fixes from later versions of
software into earlier code.

So whilst SUSE's OpenSSL 0.9.8j-0.58.1 would appear to be vulnerable
since it's 0.9.8j it's actually 0.9.8j plus fixes from 0.9.8k through
0.9.8za.

Checking the RPM changelog of the openssl package on a SLES11 SP3 server
it reveals it's been patched for CVE-2014-0224 (amongst others):

--begin--
> rpm -q --changelog openssl | head
* Mon Jun 02 2014 shchang@suse.com
- Fixed bug[ bnc#880891], prevent buffer overread, by Sebastian Krahmer
* Add patch file: prevent_buffer_overread.patch

* Mon Jun 02 2014 shchang@suse.com
- Fixed bug[ bnc#880891], multiple OpenSSL CVE issues
Add patch files: CVE-2014-3470.patch, CVE-2014-0221.patch,
CVE-2014-0224.patch

* Tue Mar 25 2014 shchang@suse.com
- Fix bug[ bnc#870192], Some libraries like libcrypto.so.0.9.8 (32bit)
has the execstack flag set
---end---

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------