openssl-1.0.1e-58.AXS4
エラータID: AXSA:2019-3985:01
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
* openssl: 0-byte record padding oracle (CVE-2019-1559)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2019-1559
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
Update packages.
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
N/A
SRPMS
- openssl-1.0.1e-58.AXS4.src.rpm
MD5: bf7f7305ef6e375899c06a1064392083
SHA-256: 3aff41d45dfaa0af19c1ce4cc84b87c12e63a0f606355dd1002cc324988e42f6
Size: 3.12 MB
Asianux Server 4 for x86
- openssl-1.0.1e-58.AXS4.i686.rpm
MD5: e8b3d42144301a87e02829acff81c20d
SHA-256: ea19d5ed3550ead232fca6a1595c83e4b000f1c3dfc7106cca4378e857ffa103
Size: 1.52 MB - openssl-devel-1.0.1e-58.AXS4.i686.rpm
MD5: ff3ca2b1edce483d4259f74d6ac00362
SHA-256: 4e6e7a220157fe78b8fd1da6e351b52ad3c434c4f01a6bdb9f843fb78f56037e
Size: 1.17 MB
Asianux Server 4 for x86_64
- openssl-1.0.1e-58.AXS4.x86_64.rpm
MD5: 4762db8aa7e5bd18aee72edaa2edbd46
SHA-256: a54c2b6c79aac71e84ffa6d988706cd5d75f97600d9afc34ab64d948cea93e22
Size: 1.53 MB - openssl-devel-1.0.1e-58.AXS4.x86_64.rpm
MD5: 022f2635dcc2184b06f7ca6adac6fbfa
SHA-256: 227b145b24b32874e2b99edb9d3519c44f55ed131e83934c103a350d522c0af5
Size: 1.17 MB - openssl-1.0.1e-58.AXS4.i686.rpm
MD5: e8b3d42144301a87e02829acff81c20d
SHA-256: ea19d5ed3550ead232fca6a1595c83e4b000f1c3dfc7106cca4378e857ffa103
Size: 1.52 MB - openssl-devel-1.0.1e-58.AXS4.i686.rpm
MD5: ff3ca2b1edce483d4259f74d6ac00362
SHA-256: 4e6e7a220157fe78b8fd1da6e351b52ad3c434c4f01a6bdb9f843fb78f56037e
Size: 1.17 MB