CVE-2016-0705

Published: 22 February 2016

Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.0.2g-1ubuntu2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2.18)
Patches:
Upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=6c88c71b4e4825c7bc0489306d062d017634eb88 (1.0.2)
Upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=ccb2a614074ee15c0fbbb9dd49e3cd258d68380a (1.0.1)
openssl098
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])