Bug 820686 (CVE-2012-2333)
Summary: | CVE-2012-2333 openssl: record length handling integer underflow | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | erik-fedora, james, kalevlember, ktietz, lfarkas, mehmetgelisin, mvadkert, rjones, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 0.9.8x, openssl 1.0.0j, openssl 1.0.1c | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-09-25 08:00:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 820693, 820694, 821646, 821647, 821648, 821649 | ||
Bug Blocks: | 820691 |
Description
Tomas Hoger
2012-05-10 17:18:09 UTC
External Reference: http://openssl.org/news/secadv_20120510.txt Created mingw32-openssl tracking bugs for this issue Affects: fedora-all [bug 820694] Created openssl tracking bugs for this issue Affects: fedora-all [bug 820693] CERT-FI advisory: http://www.cert.fi/en/reports/2012/vulnerability641549.html The statement: Explicit IV is used in TLS 1.2, 1.1 and DTLS. The openssl packages in Red Hat Enterprise Linux 3, 4, 5, and 6 only support TLS 1.0 and do not support TLS 1.1 and 1.2 and hence are not affected by the TLS part of this problem. TLS versions 1.1 and 1.2 support was introduced upstream in OpenSSL version 1.0.1. That version is currently only available in Fedora Rawhide/18. Could someone update https://access.redhat.com/security/cve/CVE-2012-2333 with this information. openssl-1.0.0j-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0699 https://rhn.redhat.com/errata/RHSA-2012-0699.html openssl-1.0.0j-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. openssl-1.0.0j-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3 and 4. The openssl versions in Red Hat Enterprise Linux 5 and 6 were partially affected, as they support DTLS, but they do not support TLS 1.1 and TLS 1.2. This issue was addressed in Red Hat Enterprise Linux 5 and 6 via RHSA-2012:0699. This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.0 Via RHSA-2012:1308 https://rhn.redhat.com/errata/RHSA-2012-1308.html This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:1307 https://rhn.redhat.com/errata/RHSA-2012-1307.html This issue has been addressed in following products: JBoss Enterprise Web Server 1.0.2 Via RHSA-2012:1306 https://rhn.redhat.com/errata/RHSA-2012-1306.html |