{"id":"MGASA-2016-0056","summary":"Updated openssl packages fix security vulnerabilities","details":"Updated openssl packages fix security vulnerability:\n\nOpenSSL before 1.0.2f would allow for a process to re-use the same private\nDiffie-Hellman exponent repeatedly during its entire lifetime, which, given\nthat it also allows to use custom DH parameters which may be based on\nunsafe primes, could enable an attack that could discover the DH exponent,\ncompromising the security of DH symmetric key negotiation (CVE-2016-0701).\n\nIn OpenSSL before 1.0.2f, A malicious client can negotiate SSLv2 ciphers\nthat have been disabled on the server and complete SSLv2 handshakes even if\nall SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was\nnot also disabled via SSL_OP_NO_SSLv2 (CVE-2015-3197).\n","modified":"2026-02-01T04:12:03.483516Z","published":"2016-02-09T13:05:25Z","related":["CVE-2015-3197","CVE-2016-0701"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0056.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=17640"},{"type":"REPORT","url":"https://www.openssl.org/news/secadv/20160128.txt"}],"affected":[{"package":{"name":"openssl","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/openssl?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.2f-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0056.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}