PublicDateAtUSN: 2012-03-12 Candidate: CVE-2012-0884 PublicDate: 2012-03-13 03:12:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://www.openssl.org/news/secadv_20120312.txt https://ubuntu.com/security/notices/USN-1451-1 Description: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. Ubuntu-Description: Notes: sbeattie> only affects CMS, PKCS #7, or S/MIME decryption, not SSL/TLS transactions mdeslaur> from oss-security: "If a Linux distribution picks up the fix for mdeslaur> CVE-2012-0884 then they will want to pick up change 22161 at the mdeslaur> same time since the fix for the security vulnerability will mdeslaur> generally cause symmetric decryption errors when it kicks in and mdeslaur> things get very confusing for the end user without change 22161" mdeslaur> A second issue was fixed too, see: mdeslaur> http://www.openwall.com/lists/oss-security/2012/05/11/5 Bugs: Priority: low Discovered-by: Ivan Nestlerode Assigned-to: CVSS: Patches_openssl: upstream: http://cvs.openssl.org/chngview?cn=22238 upstream: http://cvs.openssl.org/chngview?cn=22161 (related) upstream: http://cvs.openssl.org/chngview?cn=22537 vendor: http://www.debian.org/security/2012/dsa-2454 upstream_openssl: released (1.0.1) hardy_openssl: released (0.9.8g-4ubuntu3.19) lucid_openssl: released (0.9.8k-7ubuntu8.13) maverick_openssl: ignored (reached end-of-life) natty_openssl: released (0.9.8o-5ubuntu1.7) oneiric_openssl: released (1.0.0e-2ubuntu4.6) precise_openssl: not-affected (1.0.1-4ubuntu1) quantal_openssl: not-affected (1.0.1-4ubuntu1) raring_openssl: not-affected (1.0.1-4ubuntu1) saucy_openssl: not-affected (1.0.1-4ubuntu1) trusty_openssl: not-affected (1.0.1-4ubuntu1) trusty/esm_openssl: not-affected (1.0.1-4ubuntu1) devel_openssl: not-affected (1.0.1-4ubuntu1) Patches_openssl098: upstream_openssl098: needs-triage hardy_openssl098: DNE lucid_openssl098: DNE maverick_openssl098: DNE natty_openssl098: DNE oneiric_openssl098: ignored (reached end-of-life) precise_openssl098: released (0.9.8o-7ubuntu3.2) quantal_openssl098: ignored (reached end-of-life) raring_openssl098: ignored (reached end-of-life) saucy_openssl098: released (0.9.8o-7ubuntu3.2.13.10.1) trusty_openssl098: released (0.9.8o-7ubuntu3.2.14.04.1) trusty/esm_openssl098: DNE (trusty was released [0.9.8o-7ubuntu3.2.14.04.1]) devel_openssl098: released (0.9.8o-7ubuntu4)