CVE-2012-0884
Published: 12 March 2012
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Notes
Author | Note |
---|---|
sbeattie | only affects CMS, PKCS #7, or S/MIME decryption, not SSL/TLS transactions |
mdeslaur | from oss-security: "If a Linux distribution picks up the fix for CVE-2012-0884 then they will want to pick up change 22161 at the same time since the fix for the security vulnerability will generally cause symmetric decryption errors when it kicks in and things get very confusing for the end user without change 22161" A second issue was fixed too, see: http://www.openwall.com/lists/oss-security/2012/05/11/5 |
Priority
Status
Package | Release | Status |
---|---|---|
openssl Launchpad, Ubuntu, Debian |
hardy |
Released
(0.9.8g-4ubuntu3.19)
|
lucid |
Released
(0.9.8k-7ubuntu8.13)
|
|
maverick |
Ignored
(end of life)
|
|
natty |
Released
(0.9.8o-5ubuntu1.7)
|
|
oneiric |
Released
(1.0.0e-2ubuntu4.6)
|
|
precise |
Not vulnerable
(1.0.1-4ubuntu1)
|
|
quantal |
Not vulnerable
(1.0.1-4ubuntu1)
|
|
raring |
Not vulnerable
(1.0.1-4ubuntu1)
|
|
saucy |
Not vulnerable
(1.0.1-4ubuntu1)
|
|
trusty |
Not vulnerable
(1.0.1-4ubuntu1)
|
|
upstream |
Released
(1.0.1)
|
|
Patches: upstream: http://cvs.openssl.org/chngview?cn=22238 upstream: http://cvs.openssl.org/chngview?cn=22161 upstream: http://cvs.openssl.org/chngview?cn=22537 vendor: http://www.debian.org/security/2012/dsa-2454 |
||
openssl098 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Released
(0.9.8o-7ubuntu3.2)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Released
(0.9.8o-7ubuntu3.2.13.10.1)
|
|
trusty |
Released
(0.9.8o-7ubuntu3.2.14.04.1)
|
|
upstream |
Needs triage
|