Paketname
openssl
Datum
2013-03-06
Advisory ID
MDVSA-2013:018
Betroffene Versionen
MES5 i586 , MES5 x86_64

Problembeschreibung

Multiple vulnerabilities has been found and corrected in openssl:

OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d
does not properly perform signature verification for OCSP responses,
which allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via an invalid key
(CVE-2013-0166).

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used
in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly
consider timing side-channel attacks on a MAC check requirement
during the processing of malformed CBC padding, which allows remote
attackers to conduct distinguishing attacks and plaintext-recovery
attacks via statistical analysis of timing data for crafted packets,
aka the Lucky Thirteen issue (CVE-2013-0169).

The updated packages have been patched to correct these issues.

Aktualisierte Pakete

MES5 i586

 f63b9b053de1c60c4f4788580b851c64  mes5/i586/libopenssl0.9.8-0.9.8h-3.17mdvmes5.2.i586.rpm
 9fc882ea3439d0fb8d4541e006f8ca9e  mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.17mdvmes5.2.i586.rpm
 bd9381aa90e00aad423298c6a88024ed  mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.17mdvmes5.2.i586.rpm
 92f0d8b80568331db9b14ba3ca1de4a9  mes5/i586/openssl-0.9.8h-3.17mdvmes5.2.i586.rpm 
 0a98f4ecc79ccd81bb3a3bde8fe7213b  mes5/SRPMS/openssl-0.9.8h-3.17mdvmes5.2.src.rpm

MES5 x86_64

 f6aa7561c9702670eb2c62d296948413  mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.17mdvmes5.2.x86_64.rpm
 ec6960fea767683ad20742d73a09a0b4  mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.17mdvmes5.2.x86_64.rpm
 f5923b3329f9fd6f9dbf2ee71badbf47  mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.17mdvmes5.2.x86_64.rpm
 d4de3229651245bbc53a0e8ffbb2770b  mes5/x86_64/openssl-0.9.8h-3.17mdvmes5.2.x86_64.rpm 
 0a98f4ecc79ccd81bb3a3bde8fe7213b  mes5/SRPMS/openssl-0.9.8h-3.17mdvmes5.2.src.rpm

Referenzen