CVE-2012-0884 in Ubuntu

CVE-2012-0884

Priority

Description

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
http://www.openssl.org/news/secadv_20120312.txt
https://usn.ubuntu.com/usn/usn-1451-1

Notes

sbeattie

only affects CMS, PKCS #7, or S/MIME decryption, not SSL/TLS
transactions

mdeslaur

from oss-security: "If a Linux distribution picks up the fix for
CVE-2012-0884 then they will want to pick up change 22161 at the
same time since the fix for the security vulnerability will
generally cause symmetric decryption errors when it kicks in and
things get very confusing for the end user without change 22161"
A second issue was fixed too, see:
http://www.openwall.com/lists/oss-security/2012/05/11/5

Package

Source: openssl (LP Ubuntu Debian)

Upstream:	released (1.0.1)
Ubuntu 14.04 ESM (Trusty Tahr):	not-affected (1.0.1-4ubuntu1)

Patches:

Upstream:	http://cvs.openssl.org/chngview?cn=22238
Upstream:	http://cvs.openssl.org/chngview?cn=22161 (related)
Upstream:	http://cvs.openssl.org/chngview?cn=22537
Vendor:	http://www.debian.org/security/2012/dsa-2454

Package

Source: openssl098 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):	DNE (trusty was released [0.9.8o-7ubuntu3.2.14.04.1])

More Information

Updated: 2019-12-05 20:58:46 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)