FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSL -- Multiple vulnerabilities

Affected packages
openssl < 1.0.2m,1
openssl-devel < 1.1.0g

Details

VuXML ID f40f07aa-c00f-11e7-ac58-b499baebfeaf
Discovery 2017-11-02
Entry 2017-11-02

The OpenSSL project reports:

bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline.

Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Severity: Low
This issue was previously announced in security advisory https://www.openssl.org/news/secadv/20170828.txt, but the fix has not previously been included in a release due to its low severity.

References

CVE Name CVE-2017-3735
CVE Name CVE-2017-3736
URL https://www.openssl.org/news/secadv/20171102.txt