Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201203-12 ] OpenSSL: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Tue Mar 06, 2012 12:26 pm    Post subject: [ GLSA 201203-12 ] OpenSSL: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: OpenSSL: Multiple vulnerabilities (GLSA 201203-12)
Severity: normal
Exploitable: remote
Date: March 06, 2012
Updated: July 07, 2014
Bug(s): #397695, #399365
ID: 201203-12

Synopsis

Multiple vulnerabilities have been found in OpenSSL, allowing
remote attackers to cause a Denial of Service or obtain sensitive
information.


Background

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.


Affected Packages

Package: dev-libs/openssl
Vulnerable: < 1.0.0g
Unaffected: >= 1.0.0g
Unaffected: >= 0.9.8t < 0.9.9
Unaffected: >= 0.9.8u < 0.9.9
Unaffected: >= 0.9.8v < 0.9.9
Unaffected: >= 0.9.8w < 0.9.9
Unaffected: >= 0.9.8x < 0.9.9
Unaffected: >= 0.9.8y < 0.9.9
Unaffected: >= 0.9.8z_p1 < 0.9.9
Unaffected: >= 0.9.8z_p2 < 0.9.9
Unaffected: >= 0.9.8z_p3 < 0.9.9
Unaffected: >= 0.9.8z_p4 < 0.9.9
Unaffected: >= 0.9.8z_p5 < 0.9.9
Architectures: All supported architectures


Description

Multiple vulnerabilities have been found in OpenSSL:
  • Timing differences for decryption are exposed by CBC mode encryption
    in OpenSSL’s implementation of DTLS (CVE-2011-4108).
  • A policy check failure can result in a double-free error when
    X509_V_FLAG_POLICY_CHECK is set (CVE-2011-4109).
  • Clients and servers using SSL 3.0 handshakes do not clear the block
    cipher padding, allowing a record to contain up to 15 bytes of
    uninitialized memory, which could include sensitive information
    (CVE-2011-4576).
  • Assertion errors can occur during the handling of malformed X.509
    certificates when OpenSSL is built with RFC 3779 support
    (CVE-2011-4577).
  • A resource management error can occur when OpenSSL’s server gated
    cryptography (SGC) does not properly handle handshake restarts
    (CVE-2011-4619).
  • Invalid parameters in the GOST block cipher are not properly handled
    by the GOST ENGINE(CVE-2012-0027).
  • An incorrect fix for CVE-2011-4108 creates an unspecified
    vulnerability for DTLS applications using OpenSSL (CVE-2012-0050).


Impact

A remote attacker may be able to cause a Denial of Service or obtain
sensitive information, including plaintext passwords.


Workaround

There is no known workaround at this time.

Resolution

All OpenSSL users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.0g"
   


References

CVE-2011-4108
CVE-2011-4109
CVE-2011-4576
CVE-2011-4577
CVE-2011-4619
CVE-2012-0027
[url=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0050 ]
CVE-2012-0050
[/url]


Last edited by GLSA on Sun Dec 21, 2014 4:30 am; edited 8 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum