CVE-2013-0169
Published: 8 February 2013
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Notes
| Author | Note |
|---|---|
| jdstrand | 1.0.1d has incorrect fix. Use 1.0.1e: |
| mdeslaur | regression bug: http://rt.openssl.org/Ticket/Display.html?id=2975&user=guest&pass=guest 1.0.1e still contains another regression: another regression: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest OpenSSL fix reverted by 1732-2 because of regression (see: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1133333) (see: http://rt.openssl.org/Ticket/Display.html?id=3002) (see: bugs.debian.org/cgi-bin/bugreport.cgi?bug=701868) |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openjdk-6 Launchpad, Ubuntu, Debian |
hardy |
Released
(6b27-1.12.3-0ubuntu1~08.04.1)
|
| lucid |
Released
(6b27-1.12.3-0ubuntu1~10.04)
|
|
| oneiric |
Released
(6b27-1.12.3-0ubuntu1~11.10)
|
|
| precise |
Released
(6b27-1.12.3-0ubuntu1~12.04)
|
|
| quantal |
Released
(6b27-1.12.3-0ubuntu1~12.10)
|
|
| raring |
Released
(6b27-1.12.3-1ubuntu1)
|
|
| saucy |
Released
(6b27-1.12.3-1ubuntu1)
|
|
| trusty |
Released
(6b27-1.12.3-1ubuntu1)
|
|
| upstream |
Released
(6b27-1.12.3)
|
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Released
(7u15-2.3.7-0ubuntu1~11.10)
|
|
| precise |
Released
(7u15-2.3.7-0ubuntu1~12.04)
|
|
| quantal |
Released
(7u15-2.3.7-0ubuntu1~12.10)
|
|
| raring |
Released
(7u15-2.3.7-1ubuntu1)
|
|
| saucy |
Released
(7u15-2.3.7-1ubuntu1)
|
|
| trusty |
Released
(7u15-2.3.7-1ubuntu1)
|
|
| upstream |
Pending
(7u13-2.3.7)
|
|
|
openssl Launchpad, Ubuntu, Debian |
hardy |
Released
(0.9.8g-4ubuntu3.20)
|
| lucid |
Released
(0.9.8k-7ubuntu8.14)
|
|
| oneiric |
Released
(1.0.0e-2ubuntu4.7)
|
|
| precise |
Released
(1.0.1-4ubuntu5.8)
|
|
| quantal |
Released
(1.0.1c-3ubuntu2.3)
|
|
| raring |
Released
(1.0.1c-4ubuntu8)
|
|
| saucy |
Released
(1.0.1c-4ubuntu8)
|
|
| trusty |
Released
(1.0.1c-4ubuntu8)
|
|
| upstream |
Released
(0.9.8y, 1.0.0k, 1.0.1e)
|
|
|
openssl098 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Released
(0.9.8o-7ubuntu3.2)
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Released
(0.9.8o-7ubuntu3.2.13.10.1)
|
|
| trusty |
Released
(0.9.8o-7ubuntu3.2.14.04.1)
|
|
| upstream |
Released
(0.9.8y)
|
References
- http://www.openssl.org/news/secadv_20130204.txt
- http://www.isg.rhul.ac.uk/tls/
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
- https://ubuntu.com/security/notices/USN-1732-1
- https://ubuntu.com/security/notices/USN-1735-1
- https://ubuntu.com/security/notices/USN-1732-3
- https://www.cve.org/CVERecord?id=CVE-2013-0169
- NVD
- Launchpad
- Debian