Bug 8980 - [Update Request]Update openssl package to fix several security problems
: [Update Request]Update openssl package to fix several security problems
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://www.openssl.org/news/secadv_20...
: has_procedure MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-06 20:05 CET by Funda Wang
Modified: 2013-02-13 00:50 CET (History)
4 users (show)

See Also:
Source RPM: openssl-1.0.0k-1.mga2.src.rpm
CVE:


Attachments

Description Funda Wang 2013-02-06 20:05:15 CET
Several security problems have been founded in openssl before in 1.0.0k:

* CVE-2013-0169: SSL, TLS and DTLS Plaintext Recovery Attack. Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. 
* CVE-2013-0166: OCSP invalid key DoS issue. A flaw in the OpenSSL handling of OCSP response verification can be exploitedin a denial of service attack.

The packages have been updated to latest 1.0.0k to fix above security flaws.
Comment 1 claire robinson 2013-02-06 20:11:58 CET
test procedure here https://wiki.mageia.org/en/QA_procedure:Openssl
Comment 2 Dave Hodgins 2013-02-07 04:24:58 CET
Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
openssl-1.0.0k-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Several security problems have been founded in openssl before in 1.0.0k:

* CVE-2013-0169: SSL, TLS and DTLS Plaintext Recovery Attack. Nadhem Alfardan
and Kenny Paterson have discovered a weakness in the handling of CBC
ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences
arising during MAC processing. 
* CVE-2013-0166: OCSP invalid key DoS issue. A flaw in the OpenSSL handling of
OCSP response verification can be exploitedin a denial of service attack.

The packages have been updated to latest 1.0.0k to fix above security flaws.

https://bugs.mageia.org/show_bug.cgi?id=8980
Comment 3 Thomas Backlund 2013-02-08 15:56:01 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0041
Comment 4 David Walser 2013-02-13 00:50:54 CET
*** Bug 8970 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.