openssl-1.0.0-27.AXS4.2
エラータID: AXSA:2013-168:01
リリース日:
2013/03/12 Tuesday - 21:40
題名:
openssl-1.0.0-27.AXS4.2
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- TLS プロトコルには暗号化されていないデータの長さを適切に不明瞭にせずに圧縮されたデータを暗号化し,"CRIME" 攻撃によって,中間者攻撃を行う攻撃者が平文の HTTP ヘッダを取得する脆弱性があります。(CVE-2012-4929)
- OpenSSL が OCSP レスポンスのための署名の検証を適切に行なっておらず,不正なキーによって,リ
モートの攻撃者がサービス拒否 (ヌルポインタ逆参照とアプリケーションのクラッシュ) を引き起こす脆弱性があります。 (CVE-2013-0166)
- GnuTLS の TLS 実装は不正な CBC パディングの処理の間,MAC チェック要求でのタイミングサイドチャネル攻撃を適切に考慮しておらず,巧妙に細工されたパケットのタイミングデータの統計的分析によって,リモートの攻撃者が distinguishing 攻撃と平文回復攻撃 (plaintext-recovery attack) を行う脆弱性があります。(CVE-2013-0169)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2012-4929
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
CVE-2013-0166
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
CVE-2013-0169
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
追加情報:
N/A
ダウンロード:
SRPMS
- openssl-1.0.0-27.AXS4.2.src.rpm
MD5: 8969f729d2abac4e0e1465c4663cfc44
SHA-256: d2b11f12c5a93fd40ff23b0ca924e7fb414858749a510daf1548fabb23362292
Size: 3.28 MB
Asianux Server 4 for x86
- openssl-1.0.0-27.AXS4.2.i686.rpm
MD5: f10e1074f8431bdae02a2463b320608e
SHA-256: 898145eaa75b573d70e888ee8d32a18ccce239d69086b1020936824597ec0f75
Size: 1.37 MB - openssl-devel-1.0.0-27.AXS4.2.i686.rpm
MD5: c351bffa5933205c09912e10e46cc673
SHA-256: 8b859c6b0622dcf7c5d1e4f0e302ae11fa7b504e8868fbf0f951b8e75b3d9ffc
Size: 1.15 MB
Asianux Server 4 for x86_64
- openssl-1.0.0-27.AXS4.2.x86_64.rpm
MD5: 18fd2c96e8b355571570cd0b63f1715c
SHA-256: 873760b2fe2046aa98784e87cecaa934f96ae72da120118619299c6c6ecb2034
Size: 1.36 MB - openssl-devel-1.0.0-27.AXS4.2.x86_64.rpm
MD5: 5bab989dcd8c43527acc2d88568555b0
SHA-256: 5d49a155a204d54a0906f4a6b820e4966c30de1de98823e7c2ca41a16f40be40
Size: 1.15 MB - openssl-1.0.0-27.AXS4.2.i686.rpm
MD5: f10e1074f8431bdae02a2463b320608e
SHA-256: 898145eaa75b573d70e888ee8d32a18ccce239d69086b1020936824597ec0f75
Size: 1.37 MB - openssl-devel-1.0.0-27.AXS4.2.i686.rpm
MD5: c351bffa5933205c09912e10e46cc673
SHA-256: 8b859c6b0622dcf7c5d1e4f0e302ae11fa7b504e8868fbf0f951b8e75b3d9ffc
Size: 1.15 MB