Package name
Advisory ID
Affected versions
MBS1 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in openssl:

OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d
does not properly perform signature verification for OCSP responses,
which allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via an invalid key

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used
in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly
consider timing side-channel attacks on a MAC check requirement
during the processing of malformed CBC padding, which allows remote
attackers to conduct distinguishing attacks and plaintext-recovery
attacks via statistical analysis of timing data for crafted packets,
aka the Lucky Thirteen issue (CVE-2013-0169).

The updated packages have been upgraded to the 1.0.0k version which
is not vulnerable to these issues.

Updated packages

MBS1 x86_64

 58cc1abbcad7a9098cbce29be2044b66  mbs1/x86_64/lib64openssl1.0.0-1.0.0k-1.mbs1.x86_64.rpm
 add939ebcb6482e7a22df2364b861ac8  mbs1/x86_64/lib64openssl-devel-1.0.0k-1.mbs1.x86_64.rpm
 d117afe1326fc6e0b6cded5aaab90de6  mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0k-1.mbs1.x86_64.rpm
 588f68343f0fea5c856b132dc96fd3b2  mbs1/x86_64/lib64openssl-static-devel-1.0.0k-1.mbs1.x86_64.rpm
 b28be77a3f2daea933c41585adcca575  mbs1/x86_64/openssl-1.0.0k-1.mbs1.x86_64.rpm 
 ef77059259c46937ce70b5fc9cf4d30d  mbs1/SRPMS/openssl-1.0.0k-1.mbs1.src.rpm