update for openssl
openssl was prone to several security issues:
- DTLS Plaintext Recovery Attack (CVE-2011-4108)
- Uninitialized SSL 3.0 Padding (CVE-2011-4576)
- Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
- SGC Restart DoS Attack (CVE-2011-4619)
- Invalid GOST parameters DoS Attack (CVE-2012-0027)
-
Submitted by
Guanjun He (gjhe)
Fixed bugs
bnc#739719
VUL-0: openssl: various security issues
CVE-CVE-2012-0027
The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
CVE-CVE-2011-4577
OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or
CVE-CVE-2011-4576
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an S
CVE-CVE-2011-4108
The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
CVE-CVE-2011-4619
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors.
