[Forgot Password]
Login  Register Subscribe

24003

 
 

131573

 
 

108566

 
 

909

 
 

85401

 
 

134

Paid content will be excluded from the download.


Download | Alert*
OVAL

ALAS-2013-171 ---- openssl

ID: oval:org.secpod.oval:def:1600259Date: (C)2016-05-19   (M)2018-05-06
Class: PATCHFamily: unix




It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. Note: This update disables zlib compression, which was previously enabled in OpenSSL by default. Applications using OpenSSL now need to explicitly enable zlib compression to use it.

Platform:
Amazon Linux AMI
Product:
openssl
Reference:
ALAS-2013-171
CVE-2012-4929
CVE-2013-0169
CVE-2013-0166
CVE    3
CVE-2013-0166
CVE-2013-0169
CVE-2012-4929
CPE    94
cpe:/a:openssl:openssl:1.0.0j
cpe:/a:openssl:openssl:1.0.0i
cpe:/a:openssl:openssl:1.0.1c
cpe:/a:openssl:openssl:0.9.8x
...

© SecPod Technologies