GLSA-201612-16 : OpenSSL: Multiple vulnerabilities

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-201612-16
(OpenSSL: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers and the International Association for Cryptologic
Research’s (IACR) paper, “Make Sure DSA Signing Exponentiations
Really are Constant-Time” for further details.

Impact :

Remote attackers could cause a Denial of Service condition or have other
unspecified impacts. Additionally, a time based side-channel attack may
allow a local attacker to recover a private DSA key.

Workaround :

There is no known workaround at this time.

See also :

https://eprint.iacr.org/2016/594.pdf
https://security.gentoo.org/glsa/201612-16

Solution :

All OpenSSL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-libs/openssl-1.0.2j'

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now