CVE-2013-1623

Priority
Medium
Description
The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not
properly consider timing side-channel attacks on a noncompliant MAC check
operation during the processing of malformed CBC padding, which allows
remote attackers to conduct distinguishing attacks and plaintext-recovery
attacks via statistical analysis of timing data for crafted packets, a
related issue to CVE-2013-0169.
References
Bugs
Notes
jdstrand> no updates from upstream at this time
sarnold> not mentioned in April CPU, but the code fixed in the Debian
bug report is present, looks fixed
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):released (5.5.31-0ubuntu0.12.04.1)
Ubuntu 12.10 (Quantal Quetzal):released (5.5.31-0ubuntu0.12.10.1)
Ubuntu 13.04 (Raring Ringtail):released (5.5.31-0ubuntu0.13.04.1)
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):released (5.1.69-0ubuntu0.10.04.1)
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 12.10 (Quantal Quetzal):DNE
Ubuntu 13.04 (Raring Ringtail):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.10 (Oneiric Ocelot):released (5.1.69-0ubuntu0.11.10.1)
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 12.10 (Quantal Quetzal):DNE
Ubuntu 13.04 (Raring Ringtail):DNE
More Information

Valid XHTML 1.0 Strict

Updated: 2013-04-25 23:14:15 UTC (commit 6767)