CVE-2015-3195

Priority
Medium
Description
The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL
before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before
1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which
allows remote attackers to obtain sensitive information from process memory
by triggering a decoding failure in a PKCS#7 or CMS application.
References
Assigned-to
mdeslaur
Package
Upstream:released (0.9.8zh)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (1.0.2e,1.0.1q)
Ubuntu 12.04 ESM (Precise Pangolin):released (1.0.1-4ubuntu5.32)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.0.1f-1ubuntu2.16)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.0.2e-1ubuntu1)
Ubuntu 17.04 (Zesty Zapus):released (1.0.2e-1ubuntu1)
Ubuntu 17.10 (Artful Aardvark):released (1.0.2e-1ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.0.2e-1ubuntu1)
Patches:
Upstream:https://git.openssl.org/?p=openssl.git;a=commit;h=b29ffa392e839d05171206523e84909146f7a77c (1.0.1)
Upstream:https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d (1.0.2)
More Information

Updated: 2017-12-15 20:16:08 UTC (commit 13913)