Alpine: libcrypto3, multiple openssl packages: security update to 1.0.2-r0 (deprecated)

high Tenable Cloud Security Plugin ID 401057

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before
0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to
cause a denial of service (memory corruption and application crash) or possibly have unspecified other
impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
(CVE-2015-0209)

- The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state
information of independent data streams, which allows remote attackers to cause a denial of service
(application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.
(CVE-2015-0207)

- The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c
in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the
certificate-verification feature. (CVE-2015-0208)

- The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG
is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat
cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.
(CVE-2015-0285)

See Also

https://git.alpinelinux.org/aports/commit/?id=8751d8eebf4ec79352ab99ea542e4ff8e7611ff1

https://git.alpinelinux.org/aports/commit/?id=c6126a69ea81e52ca1dd891a10c5952035283875

Plugin Details

Severity: High

ID: 401057

Version: Revision 1.26

Type: Local

Published: 8/16/2023

Updated: 4/22/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.8

Percentile: 22.22

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2015-0209

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2015-0291

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/19/2015

Vulnerability Publication Date: 3/2/2015

Reference Information

CVE: CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0293, CVE-2015-1787

BID: 73225, 73226, 73227, 73229, 73230, 73231, 73232, 73234, 73235, 73237, 73238, 73239

IAVA: 2015-A-0063-S