MGASA-2013-0041
| Date: | February 8th, 2013 |
| Affected releases: | 2 |
| Media: | Core |
Description:
Several security problems have been found in openssl before 1.0.0k:
OCSP invalid key DoS issue. A flaw in the OpenSSL handling of OCSP
response verification can be exploitedin a denial of service attack.
(CVE-2013-0166)
SSL, TLS and DTLS Plaintext Recovery Attack. Nadhem Alfardan and Kenny
Paterson have discovered a weakness in the handling of CBC ciphersuites
in SSL, TLS and DTLS. Their attack exploits timing differences arising
during MAC processing. (CVE-2013-0169)
The packages have been updated to 1.0.0k to fix above security flaws.
Updated Packages:
i586:
libopenssl1.0.0-1.0.0k-1.mga2.i586.rpm
libopenssl-devel-1.0.0k-1.mga2.i586.rpm
libopenssl-engines1.0.0-1.0.0k-1.mga2.i586.rpm
libopenssl-static-devel-1.0.0k-1.mga2.i586.rpm
openssl-1.0.0k-1.mga2.i586.rpm
openssl-debug-1.0.0k-1.mga2.i586.rpm
x86_64:
lib64openssl1.0.0-1.0.0k-1.mga2.x86_64.rpm
lib64openssl-devel-1.0.0k-1.mga2.x86_64.rpm
lib64openssl-engines1.0.0-1.0.0k-1.mga2.x86_64.rpm
lib64openssl-static-devel-1.0.0k-1.mga2.x86_64.rpm
openssl-1.0.0k-1.mga2.x86_64.rpm
openssl-debug-1.0.0k-1.mga2.x86_64.rpm
SRPMS:
openssl-1.0.0k-1.mga2.src.rpm
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
https://bugs.mageia.org/show_bug.cgi?id=8980
