openssl-0.9.8e-26.AXS3.1
エラータID: AXSA:2013-126:01
リリース日:
2013/03/08 Friday - 19:43
題名:
openssl-0.9.8e-26.AXS3.1
影響のあるチャネル:
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- TLS プロトコルには暗号化されていないデータの長さを適切に不明瞭にせずに圧縮されたデータを暗号化し,"CRIME" 攻撃によって,中間者攻撃を行う攻撃者が平文の HTTP ヘッダを取得する脆弱性があります。(CVE-2012-4929)
- OpenSSL が OCSP レスポンスのための署名の検証を適切に行なっておらず,不正なキーによって,リ
モートの攻撃者がサービス拒否 (ヌルポインタ逆参照とアプリケーションのクラッシュ) を引き起こす脆弱性があります。 (CVE-2013-0166)
- OpenSSL, OpenJDK, PolarSSL や他の製品で使用されている TLS プロトコル,DTLS プロトコルは不正な CBC パディングの処理の間,MAC チェック要求でのタイミングサイドチャネル攻撃を適切に考慮しておらず,巧妙に細工されたパケットのタイミングデータの統計的分析によって,リモートの攻撃者が distinguishing 攻撃と平文回復攻撃 (plaintext-recovery attack) を行う脆弱性があります。(CVE-2013-0169)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2013-0169
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
CVE-2013-0166
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
CVE-2012-4929
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
追加情報:
N/A
ダウンロード:
SRPMS
- openssl-0.9.8e-26.AXS3.1.src.rpm
MD5: 0da680ca6c6c71afc3545ccb9aef2647
SHA-256: d65c310b235adeea6dad30ac58854876e3492e479e511e50abf5130b59a59da2
Size: 3.15 MB
Asianux Server 3 for x86
- openssl-0.9.8e-26.AXS3.1.i386.rpm
MD5: 937ac60cc04bfdd1b5891bd2b93ef5a7
SHA-256: e609ece00aff747ce364072cc8a9bb2f0d78cb4a6eed9ddbab81edf7aace495a
Size: 1.47 MB - openssl-0.9.8e-26.AXS3.1.i686.rpm
MD5: 59a9e02c0ebc82cd013e815e908d2d0b
SHA-256: 065fd3bdfbeb0fea15e854846c4a268eea0895d8f922c82dc44bd5825147f058
Size: 1.46 MB - openssl-devel-0.9.8e-26.AXS3.1.i386.rpm
MD5: 21d729856775a7765ca44099d24ccc85
SHA-256: 345d426d0ec5a6b4966401f548567f4c2f76a7c72a27d3ac6c719365bc24e6f4
Size: 1.90 MB - openssl-perl-0.9.8e-26.AXS3.1.i386.rpm
MD5: 56c92fa2c0a9342bd041da5981ba8541
SHA-256: 5a5bac7fa168e3c5499013b92433f6eba9798539954a4d6b48833f19e9ce1210
Size: 36.97 kB
Asianux Server 3 for x86_64
- openssl-0.9.8e-26.AXS3.1.x86_64.rpm
MD5: 6198800b606dc8e6fcbbe2b8fd9021ec
SHA-256: b577f70a04668be7b9c7cfaa7e2ec78c5172b751407f845fbf6789a5d2fbfc9c
Size: 1.46 MB - openssl-devel-0.9.8e-26.AXS3.1.x86_64.rpm
MD5: fa0430754b85f260e6283687cba29697
SHA-256: 437cf490922a9ca6310aa724b7952e0c57a249cac2921632487931b02ca54949
Size: 1.89 MB - openssl-perl-0.9.8e-26.AXS3.1.x86_64.rpm
MD5: d5a3968a1a621fcaef25e31cdbe9ded9
SHA-256: 585f8466ed900fe350181567861730f41da2ca489b0ea867ff2c295fd6382776
Size: 36.94 kB