CVE-2015-3195 in Ubuntu

CVE-2015-3195

Priority

Medium

Description

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL
before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before
1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which
allows remote attackers to obtain sensitive information from process memory
by triggering a decoding failure in a PKCS#7 or CMS application.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195
https://www.openssl.org/news/secadv/20151203.txt
https://usn.ubuntu.com/usn/usn-2830-1

Assigned-to

mdeslaur

Package

Source: openssl098 (LP Ubuntu Debian)

Upstream:	released (0.9.8zh)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):	needed
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 17.04 (Zesty Zapus):	DNE
Ubuntu 17.10 (Artful Aardvark):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE

Package

Source: openssl (LP Ubuntu Debian)

Upstream:	released (1.0.2e,1.0.1q)
Ubuntu 12.04 ESM (Precise Pangolin):	released (1.0.1-4ubuntu5.32)
Ubuntu 14.04 LTS (Trusty Tahr):	released (1.0.1f-1ubuntu2.16)
Ubuntu 16.04 LTS (Xenial Xerus):	released (1.0.2e-1ubuntu1)
Ubuntu 17.04 (Zesty Zapus):	released (1.0.2e-1ubuntu1)
Ubuntu 17.10 (Artful Aardvark):	released (1.0.2e-1ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver):	released (1.0.2e-1ubuntu1)

Patches:

Upstream:	https://git.openssl.org/?p=openssl.git;a=commit;h=b29ffa392e839d05171206523e84909146f7a77c (1.0.1)
Upstream:	https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d (1.0.2)

More Information

Updated: 2017-12-15 20:16:08 UTC (commit 13913)