Hide Forgot
Quoting upstream advisory: This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they *displace* encrypted-key bytes. This leads to an efficient divide-and-conquer key recovery attack: if an eavesdropper has intercepted an SSLv2 handshake, they can use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. More importantly, this leads to a more efficient version of DROWN that is effective against non-export ciphersuites, and requires no significant computation. This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf (released March 19th 2015). This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J. Alex Halderman of the University of Michigan. The underlying defect had by then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d (1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
We have the CVE-2015-0293 fix applied.
CVE-2015-0293 is tracked via bug 1202404. For upstream commit correcting this issue, see bug 1202404 comment 5.
Acknowledgments: Name: the OpenSSL project Upstream: David Adrian (University of Michigan), J. Alex Halderman (University of Michigan)
External References: https://www.openssl.org/news/secadv/20160301.txt
This issue has been addressed in the following products: Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5.6 Long Life Red Hat Enterprise Linux 5.9 Long Life Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html
Statement: (none)
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html
By any chance these fixes will be available for centos distribution (6). Any ETA for same. Thanks
Gentle reminder, any information on when the fix would be available in centos 6 distribution
If you look at the changelog of the current openssl in CentOS you can see there is fix for CVE-2015-0293 which means this package is not vulnerable to CVE-2016-0703.
(In reply to Tomas Mraz from comment #12) > If you look at the changelog of the current openssl in CentOS you can see > there is fix for CVE-2015-0293 which means this package is not vulnerable to > CVE-2016-0703. Thanks Tomas, If you also provide insight on CVE-2016-0704. Bugzila link --> https://bugzilla.redhat.com/show_bug.cgi?id=1310814 i would be grateful.