IBM Security Bulletin: Vulnerabilities in OpenSSL affect AIX (CVE-2016-2176 CVE-2016-2109 CVE-2016-2108 CVE-2016-2106 CVE-2016-2105)

This bulletin addresses CVE-2016-2176 CVE-2016-2109 CVE-2016-2108 CVE-2016-2106 CVE-2016-2105 for AIX.

CVE(s): CVE-2016-2176, CVE-2016-2109, CVE-2016-2108, CVE-2016-2106 and CVE-2016-2105

Affected product(s) and affected version(s):

        AIX 5.3, 6.1, 7.1, 7.2
        VIOS 2.2.x

        The following fileset levels are vulnerable:
        
        key_fileset = osrcaix

        Fileset          Lower Level   Upper Level  KEY 
        --------------------------------------------------
        openssl.base     0.9.8.401     0.9.8.2506   key_w_fs
        openssl.base     1.0.1.500     1.0.1.515    key_w_fs
        openssl.base     1.0.2.500     1.0.2.500    key_w_fs
        openssl.base    12.9.8.1100   12.9.8.2506   key_w_fs
        openssl.base    20.11.101.500 20.11.101.500 key_w_fs

        Note, 0.9.8.401 and 12.9.8.1100 are the Lowest OpenSSL version
        available in aix web download site. Even OpenSSL versions below 
        this are impacted.

        Note:  To find out whether the affected filesets are installed 
        on your systems, refer to the lslpp command found in AIX user's guide.

        Example:  lslpp -L | grep -i openssl.base

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2agK07q
X-Force Database: http://ift.tt/2a5G0GZ
X-Force Database: http://ift.tt/29OZj5N
X-Force Database: http://ift.tt/2a9qwnB
X-Force Database: http://ift.tt/29OZVsd
X-Force Database: http://ift.tt/2a9qzQm

from IBM Product Security Incident Response Team http://ift.tt/29OZC0z