MGASA-2019-0106

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0106.html

Import Source

https://advisories.mageia.org/MGASA-2019-0106.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2019-0106

Related

CVE-2019-1559

Published

2019-03-07T16:34:45Z

Modified

2019-03-07T16:07:38Z

Summary

Updated openssl packages fix security vulnerability

Details

If an application encounters a fatal protocol error and then calls SSLshutdown() twice (once to send a closenotify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data (CVE-2019-1559).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / openssl

Package

Name: openssl
Purl: pkg:rpm/mageia/openssl?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.2r-1.mga6

Ecosystem specific

{
    "section": "core"
}