CVE-2012-0884

Priority
Description
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack.
Notes
sbeattieonly affects CMS, PKCS #7, or S/MIME decryption, not SSL/TLS
transactions
mdeslaurfrom oss-security: "If a Linux distribution picks up the fix for
CVE-2012-0884 then they will want to pick up change 22161 at the
same time since the fix for the security vulnerability will
generally cause symmetric decryption errors when it kicks in and
things get very confusing for the end user without change 22161"
A second issue was fixed too, see:
http://www.openwall.com/lists/oss-security/2012/05/11/5
Package
Upstream:released (1.0.1)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (1.0.1-4ubuntu1)
Patches:
Upstream:http://cvs.openssl.org/chngview?cn=22238
Upstream:http://cvs.openssl.org/chngview?cn=22161 (related)
Upstream:http://cvs.openssl.org/chngview?cn=22537
Vendor:http://www.debian.org/security/2012/dsa-2454
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [0.9.8o-7ubuntu3.2.14.04.1])
More Information

Updated: 2019-12-05 20:58:46 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)