Bug 815661 (CVE-2012-2131)

Summary: CVE-2012-2131 openssl: incomplete fix of CVE-2012-2110 for 0.9.x
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: tmraz, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 0.9.8w Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-24 08:13:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 813720    

Description Tomas Hoger 2012-04-24 08:04:59 UTC 
It was discovered that upstream fix for OpenSSL issue CVE-2012-2110 (see bug #814185) did not completely address the issue for OpenSSL versions 0.9.x.  This incomplete fix problem did not affect versions 1.0.0 and 1.0.1, and was corrected in 0.9.8 branch in version 0.9.8w.

Upstream commit and announcement of the 0.9.8w release:
http://cvs.openssl.org/chngview?cn=22479
http://marc.info/?l=openssl-dev&m=133525318514423&w=2
Comment 1 Tomas Hoger 2012-04-24 08:13:09 UTC 
As there were no Red Hat Enterprise Linux or Fedora updates released with an incomplete fix, they are not affected by this CVE.

Statement:

Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5 and 6, as there were no updates released with an incomplete CVE-2012-2110 fix.