Bug 908052 (CVE-2013-0166) - CVE-2013-0166 openssl: DoS due to improper handling of OCSP response verification
Summary: CVE-2013-0166 openssl: DoS due to improper handling of OCSP response verifica...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0166
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 911051 911052 911061 911063 919303 919304 1127896
Blocks: 908053 920007 954223 959037
TreeView+ depends on / blocked
 
Reported: 2013-02-05 17:56 UTC by Vincent Danen
Modified: 2021-09-13 19:46 UTC (History)
14 users (show)

Fixed In Version: openssl 1.0.1d, openssl 1.0.0k, openssl 0.9.8y
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-03 18:05:19 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBPAPP-10665 0 Major Resolved EAP-5: OpenSSL natives security fixes for Solaris/Windows/HP-UX (CVE-2013-0166 CVE-2013-0169) 2018-09-14 11:29:32 UTC
Red Hat Product Errata RHSA-2013:0587 0 normal SHIPPED_LIVE Moderate: openssl security update 2013-03-05 02:11:42 UTC
Red Hat Product Errata RHSA-2013:0636 0 normal SHIPPED_LIVE Important: rhev-hypervisor6 security and bug fix update 2013-03-13 18:47:11 UTC
Red Hat Product Errata RHSA-2013:0782 0 normal SHIPPED_LIVE Moderate: openssl security update 2013-05-01 22:03:43 UTC
Red Hat Product Errata RHSA-2013:0783 0 normal SHIPPED_LIVE Moderate: openssl security update 2013-05-01 22:03:38 UTC
Red Hat Product Errata RHSA-2013:0833 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 18:31:18 UTC
Red Hat Product Errata RHSA-2013:1013 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 update 2013-07-03 20:18:21 UTC

Description Vincent Danen 2013-02-05 17:56:27 UTC
A flaw was found in the way that OpenSSL handled OCSP response verification, which could be exploited to conduct a denial of service attack.  This flaw affects all versions of OpenSSL and is fixed in versions 1.0.1d, 1.0.0k, and 0.9.8y.

External References:

http://www.openssl.org/news/secadv_20130205.txt

Comment 8 Fedora Update System 2013-03-02 19:55:46 UTC
openssl-1.0.1e-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 errata-xmlrpc 2013-03-04 21:16:10 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0587 https://rhn.redhat.com/errata/RHSA-2013-0587.html

Comment 10 Fedora Update System 2013-03-08 00:02:31 UTC
openssl-1.0.0k-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 errata-xmlrpc 2013-03-13 14:48:00 UTC
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html

Comment 16 errata-xmlrpc 2013-05-01 18:04:48 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0783 https://rhn.redhat.com/errata/RHSA-2013-0783.html

Comment 17 errata-xmlrpc 2013-05-01 18:04:57 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0782 https://rhn.redhat.com/errata/RHSA-2013-0782.html

Comment 20 errata-xmlrpc 2013-05-20 14:33:19 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html

Comment 25 errata-xmlrpc 2013-07-03 16:19:28 UTC
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html


Note You need to log in before you can comment on or make changes to this bug.