Package name
openssl
Date
2013-04-05
Advisory ID
MDVSA-2013:052
Affected versions
MBS1 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in openssl:

OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d
does not properly perform signature verification for OCSP responses,
which allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via an invalid key
(CVE-2013-0166).

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used
in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly
consider timing side-channel attacks on a MAC check requirement
during the processing of malformed CBC padding, which allows remote
attackers to conduct distinguishing attacks and plaintext-recovery
attacks via statistical analysis of timing data for crafted packets,
aka the Lucky Thirteen issue (CVE-2013-0169).

The updated packages have been upgraded to the 1.0.0k version which
is not vulnerable to these issues.

Updated packages

MBS1 x86_64

 58cc1abbcad7a9098cbce29be2044b66  mbs1/x86_64/lib64openssl1.0.0-1.0.0k-1.mbs1.x86_64.rpm
 add939ebcb6482e7a22df2364b861ac8  mbs1/x86_64/lib64openssl-devel-1.0.0k-1.mbs1.x86_64.rpm
 d117afe1326fc6e0b6cded5aaab90de6  mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0k-1.mbs1.x86_64.rpm
 588f68343f0fea5c856b132dc96fd3b2  mbs1/x86_64/lib64openssl-static-devel-1.0.0k-1.mbs1.x86_64.rpm
 b28be77a3f2daea933c41585adcca575  mbs1/x86_64/openssl-1.0.0k-1.mbs1.x86_64.rpm 
 ef77059259c46937ce70b5fc9cf4d30d  mbs1/SRPMS/openssl-1.0.0k-1.mbs1.src.rpm

References