[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

ALAS-2013-171 ---- openssl

ID: oval:org.secpod.oval:def:1600259Date: (C)2016-05-19   (M)2017-09-22
Class: PATCHFamily: unix




It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. Note: This update disables zlib compression, which was previously enabled in OpenSSL by default. Applications using OpenSSL now need to explicitly enable zlib compression to use it.

Platform:
Amazon Linux AMI
Product:
openssl
Reference:
ALAS-2013-171
CVE-2012-4929
CVE-2013-0169
CVE-2013-0166
CVE    3
CVE-2012-4929
CVE-2013-0169
CVE-2013-0166
CPE    126
cpe:/a:oracle:openjdk:1.7.0
cpe:/a:polarssl:polarssl:0.14.0
cpe:/a:polarssl:polarssl:0.14.2
cpe:/a:polarssl:polarssl:0.14.3
...

© 2013 SecPod Technologies