815661 – (CVE-2012-2131) CVE-2012-2131 openssl: incomplete fix of CVE-2012-2110 for 0.9.x

Bug 815661 (CVE-2012-2131) - CVE-2012-2131 openssl: incomplete fix of CVE-2012-2110 for 0.9.x

Summary: CVE-2012-2131 openssl: incomplete fix of CVE-2012-2110 for 0.9.x

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2012-2131
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	813720
TreeView+	depends on / blocked

Reported:	2012-04-24 08:04 UTC by Tomas Hoger
Modified:	2021-02-24 12:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:	openssl 0.9.8w
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-04-24 08:13:09 UTC

Attachments	(Terms of Use)

Description Tomas Hoger 2012-04-24 08:04:59 UTC

It was discovered that upstream fix for OpenSSL issue CVE-2012-2110 (see bug #814185) did not completely address the issue for OpenSSL versions 0.9.x.  This incomplete fix problem did not affect versions 1.0.0 and 1.0.1, and was corrected in 0.9.8 branch in version 0.9.8w.

Upstream commit and announcement of the 0.9.8w release:
http://cvs.openssl.org/chngview?cn=22479
http://marc.info/?l=openssl-dev&m=133525318514423&w=2

Comment 1 Tomas Hoger 2012-04-24 08:13:09 UTC

As there were no Red Hat Enterprise Linux or Fedora updates released with an incomplete fix, they are not affected by this CVE.

Statement:

Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5 and 6, as there were no updates released with an incomplete CVE-2012-2110 fix.

Note You need to log in before you can comment on or make changes to this bug.