Bug 1310811 (CVE-2016-0703)
Summary: | CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, harkanwal.johar, jason.greene, jawilson, jclere, jdoyle, lgao, mbabacek, myarboro, pslavice, rnetuka, rsvoboda, sardella, security-response-team, slawomir, twalsh, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 1.0.2a, openssl 1.0.1m, openssl 1.0.0r, openssl 0.9.8zf | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-21 00:50:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1301847 |
Description
Adam Mariš
2016-02-22 17:20:13 UTC
We have the CVE-2015-0293 fix applied. CVE-2015-0293 is tracked via bug 1202404. For upstream commit correcting this issue, see bug 1202404 comment 5. Acknowledgments: Name: the OpenSSL project Upstream: David Adrian (University of Michigan), J. Alex Halderman (University of Michigan) External References: https://www.openssl.org/news/secadv/20160301.txt This issue has been addressed in the following products: Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5.6 Long Life Red Hat Enterprise Linux 5.9 Long Life Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html Statement: (none) This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html By any chance these fixes will be available for centos distribution (6). Any ETA for same. Thanks Gentle reminder, any information on when the fix would be available in centos 6 distribution If you look at the changelog of the current openssl in CentOS you can see there is fix for CVE-2015-0293 which means this package is not vulnerable to CVE-2016-0703. (In reply to Tomas Mraz from comment #12) > If you look at the changelog of the current openssl in CentOS you can see > there is fix for CVE-2015-0293 which means this package is not vulnerable to > CVE-2016-0703. Thanks Tomas, If you also provide insight on CVE-2016-0704. Bugzila link --> https://bugzilla.redhat.com/show_bug.cgi?id=1310814 i would be grateful. (In reply to Tomas Mraz from comment #12) > If you look at the changelog of the current openssl in CentOS you can see > there is fix for CVE-2015-0293 which means this package is not vulnerable to > CVE-2016-0703. Thanks Tomas, If you also provide insight on CVE-2016-0704. Bugzila link --> https://bugzilla.redhat.com/show_bug.cgi?id=1310814 i would be grateful. |