README VERSION : 1.1 README CREATION DATE : 2015-12-01 PATCH-ID : 151811-01 PATCH NAME : VRTSperl 5.20.1.2 BASE PACKAGE NAME : VRTSperl BASE PACKAGE VERSION : 5.20.1.1 SUPERSEDED PATCHES : NONE REQUIRED PATCHES : NONE INCOMPATIBLE PATCHES : NONE SUPPORTED PADV : sol10_sparc (P-PLATFORM , A-ARCHITECTURE , D-DISTRIBUTION , V-VERSION) PATCH CATEGORY : OTHER PATCH CRITICALITY : OPTIONAL HAS KERNEL COMPONENT : NO ID : NONE REBOOT REQUIRED : NO REQUIRE APPLICATION DOWNTIME : NO PATCH INSTALLATION INSTRUCTIONS: -------------------------------- patchadd 151811-01 PATCH UNINSTALLATION INSTRUCTIONS: ---------------------------------- patchrm 151811-01 SPECIAL INSTRUCTIONS: --------------------- NONE SUMMARY OF FIXED ISSUES: ----------------------------------------- PATCH ID:5.20.1.2 3855542 (3860910) The module OpenSSL 1.0.1m in the VRTSperl package has several security issues. SUMMARY OF KNOWN ISSUES: ----------------------------------------- NONE KNOWN ISSUES : -------------- NONE FIXED INCIDENTS: ---------------- PATCH ID:5.20.1.2 * INCIDENT NO:3855542 TRACKING ID:3860910 SYMPTOM: The module OpenSSL 1.0.1m in the VRTSperl package has several security issues. DESCRIPTION: The following major issues exist in OpenSSL 1.0.1m: o Alternate chains certificate forgery (CVE-2015-1793). o HMAC ABI incompatibility. o Malformed ECParameters causes infinite loop (CVE-2015-1788) o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) o CMS verify infinite loop with unknown hash function (CVE-2015-1792) o Race condition handling NewSessionTicket (CVE-2015-1791) RESOLUTION: The code is modified to upgrade bundled OpenSSL from 1.0.1m to 1.0.1p which has fix several security issues. INCIDENTS FROM OLD PATCHES: --------------------------- NONE