SB2016092618 - Missing CRL sanity check in openssl (Alpine package)
Published: September 26, 2016
Security Bulletin ID
SB2016092618
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing CRL sanity check (CVE-ID: CVE-2016-7052)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect implementation of CRL sanity check in version 1.0.2i. Any attempt to use CRLs results in null pointe exception and crashes the process.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=4376edf0014e6a665cd31b505e9743b39ee757f7
- https://git.alpinelinux.org/aports/commit/?id=5cbc7dc8d322823675050b8893daf42036a3c714
- https://git.alpinelinux.org/aports/commit/?id=3b1b395e37598b48dcec00a19a03f122646f1755
- https://git.alpinelinux.org/aports/commit/?id=5d5a83f5d395472559136570740c0e2163652526