CVE-2012-0884

Priority
Low
Description
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack.
References
Notes
sbeattie> only affects CMS, PKCS #7, or S/MIME decryption, not SSL/TLS
transactions
mdeslaur> from oss-security: "If a Linux distribution picks up the fix for
mdeslaur> CVE-2012-0884 then they will want to pick up change 22161 at the
mdeslaur> same time since the fix for the security vulnerability will
mdeslaur> generally cause symmetric decryption errors when it kicks in and
mdeslaur> things get very confusing for the end user without change 22161"
mdeslaur> A second issue was fixed too, see:
mdeslaur> http://www.openwall.com/lists/oss-security/2012/05/11/5
Package
Upstream:needs-triage
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 12.04 LTS (Precise Pangolin):needed
Ubuntu 12.10 (Quantal Quetzal):needed
Ubuntu 13.04 (Raring Ringtail):ignored (reached end-of-life)
Ubuntu 13.10 (Saucy Salamander):needed
Ubuntu 14.04 LTS (Trusty Tahr):needed
Package
Upstream:released (1.0.1)
Ubuntu 10.04 LTS (Lucid Lynx):released (0.9.8k-7ubuntu8.13)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (1.0.1-4ubuntu1)
Ubuntu 12.10 (Quantal Quetzal):not-affected (1.0.1-4ubuntu1)
Ubuntu 13.04 (Raring Ringtail):not-affected (1.0.1-4ubuntu1)
Ubuntu 13.10 (Saucy Salamander):not-affected (1.0.1-4ubuntu1)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1.0.1-4ubuntu1)
Patches:
Upstream:http://cvs.openssl.org/chngview?cn=22238
Upstream:http://cvs.openssl.org/chngview?cn=22161 (related)
Upstream:http://cvs.openssl.org/chngview?cn=22537
Vendor:http://www.debian.org/security/2012/dsa-2454
More Information

Valid XHTML 1.0 Strict

Updated: 2014-01-27 19:15:20 UTC (commit 7690)