Red Hat Security Advisory 2018-2186-01 - This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Issues addressed include a remote SQL injection vulnerability.
3ae001c838be7fe63f3f17218120c104c0337869b4012d6ba095f9df05b116a8
Red Hat Security Advisory 2018-2185-01 - This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Issues addressed include a remote SQL injection vulnerability.
7e87933107e4717883ce5385c59d3741b7ecc791f11d4f3340888ec72b50870b
Red Hat Security Advisory 2018-2187-01 - This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Issues addressed include out-of-bounds access.
3cf3a4008f8603285e63957d08f151b7215154836af4d8dfe0c8ddd59cc6c556
Red Hat Security Advisory 2018-0998-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Issues addressed include an overflow issue.
6168c059542581f19fa9bbb4b7ec633dce320694f1a1867ac12680acc809cebe
Debian Linux Security Advisory 4157-1 - Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit.
e8680537002526b1337312ee29fa9521aef52fdb74130e66d0d1dac4c4dbbbdb
OpenSSL Security Advisory 20180327 - Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Other issues were also addressed.
06f896618c972892739490677cca48ef1283e588c8790590bbec26307dcc26b6
Gentoo Linux Security Advisory 201712-3 - Multiple vulnerabilities have been found in OpenSSL, the worst of which may lead to a Denial of Service condition. Versions less than 1.0.2n are affected.
fce3728192f2ad29f4f85aa453b99dae4b60a8dc3c7ceb2e2bc45239433e0b60
Ubuntu Security Notice 3512-1 - David Benjamin discovered that OpenSSL did not correctly prevent buggy applications that ignore handshake errors from subsequently calling certain functions. It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery multiplication procedure. While unlikely, a remote attacker could possibly use this issue to recover private keys.
a103b944d6f8a85749386afed57846e8edac57db3a95092b4bd3128777b3642f
Slackware Security Advisory - New openssl packages are available for Slackware 14.2 and -current to fix security issues.
df944e02ba3ab7e2c344e82703dedcc6aaf7c147044b9875407518d20e3be9a5
FreeBSD Security Advisory - Invoking SSL_read()/SSL_write() while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. Various other issues were addressed.
bb3377d0fb3c1fc7d239e5446ade3da5c43af286b662042e0a558c54cd6d4ed5
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe
OpenSSL Security Advisory 20171207 - OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. Other issues were also addressed.
5b23d35b31c30e0ba27356ef231c18b5e034386ca01935b4c9740a2cf6a7469b