AXSA:2019-4126:04

リリース日: 
2019/08/20 Tuesday - 02:10
題名: 
openssl-1.0.2k-19.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

* openssl: 0-byte record padding oracle (CVE-2019-1559)

* openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.7 Release Notes linked from the References section.

CVE-2018-0734
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVE-2019-1559
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
1. openssl-1.0.2k-19.el7.src.rpm
md5sum: 246594320906adcff5e2f9f5181298fa
sha256sum: 6bfb49aa5315bed2e37697d7959a0f5d45ac5249943d9b3c7ed756da4286cdc6
Size: 3,672 Kb

Asianux Server 7.0 for x86_64
1. openssl-1.0.2k-19.el7.x86_64.rpm
md5sum: ad632d5f34d745bd50ea04d368515c01
sha256sum: 39bcae575029f1b832e6802609915f02161b85156167a2706ec7674b26baac13
Size: 492 Kb
2. openssl-devel-1.0.2k-19.el7.x86_64.rpm
md5sum: d81f9034d6fb9c924248194372253677
sha256sum: 59fbe1ceeaf81391afe548d168aa5c7ec867461aa71f10cc98a0f745fd731448
Size: 1,543 Kb
3. openssl-libs-1.0.2k-19.el7.x86_64.rpm
md5sum: 35b6128e1a9743a42174195b41642474
sha256sum: 76d72be4d91d034c75a9d028064419e106478d4bb29bf3a7a3fe0d79b7eb0377
Size: 1,224 Kb
4. openssl-devel-1.0.2k-19.el7.i686.rpm
md5sum: 6bba5ad86625b50da980f2e26d7afeb5
sha256sum: a59fbc4ac1a100da2c8fc39fdddfe9faee7dc64a8771c2f3160c9fdfc26a21fc
Size: 1,543 Kb
5. openssl-libs-1.0.2k-19.el7.i686.rpm
md5sum: b0751e6ad81804a82b531976bd9fb464
sha256sum: 0514f3e9bdf267f443f5d21a39bbc91774c0a8af7b97a6f47d714bb1845234d1
Size: 995 Kb
Copyright© 2007-2015 Asianux. All rights reserved.