Bug 771782 (CVE-2012-0027)

Summary: CVE-2012-0027 openssl: invalid GOST parameters DoS attack
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erik-fedora, kalevlember, ktietz, lfarkas, maurizio, rjones, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-05 09:20:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 771783    

Description Vincent Danen 2012-01-04 22:58:53 UTC 
Invalid GOST parameters DoS Attack (CVE-2012-0027)
===================================================

A malicious TLS client can send an invalid set of GOST parameters
which will cause the server to crash due to lack of error checking.
This could be used in a denial-of-service attack.

Only users of the OpenSSL GOST ENGINE are affected by this bug.

Thanks to Andrey Kulikov <amdeich> for identifying and fixing
this issue.

Affected users should upgrade to OpenSSL 1.0.0f.

Reference: http://openssl.org/news/secadv_20120104.txt
Comment 1 Vincent Danen 2012-01-04 23:07:07 UTC 
Seems to be the fix here:

http://cvs.openssl.org/chngview?cn=21957
Comment 2 Tomas Mraz 2012-01-05 08:54:03 UTC 
GOST Engine is not being compiled on Fedora and RHEL due to requirement of EC crypto.
Comment 3 Tomas Hoger 2012-01-05 09:18:39 UTC 
Additionally, openssl versions in Red Hat Enterprise Linux 5 and earlier do not include GOST at all.
Comment 4 Tomas Hoger 2012-01-05 09:20:15 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5 and 6, as they did not include GOST engine support.