[v2.2] openssl: CMS and S/MIME Bleichenbacher attack (CVE-2012-0884)
OpenSSL Security Advisory [12 Mar 2012]
CMS and S/MIME Bleichenbacher attack (CVE-2012-0884)
A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher’s attack on PKCS #1 (closed) v1.5 RSA padding
also known as the million message attack (MMA).
Only users of CMS, PKCS #7, or S/MIME decryption operations are
successful attack needs on average 2^20 messages. In practice only automated
systems will be affected as humans will not be willing to process this many
SSL/TLS applications are NOT affected by this problem since the
SSL/TLS code does not use the PKCS#7 or CMS decryption code.
Thanks to Ivan Nestlerode <email@example.com>for
The fix was developed by Stephen Henson of the OpenSSL core team.
Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u.
URL for this Security Advisory:
(from redmine: issue id 1049, created on 2012-03-13, closed on 2012-03-14)
- Revision fe0c3a45 by Natanael Copa on 2012-03-13T15:40:40Z:
main/openssl: security upgrade to 1.0.0h (CVE-2012-0884) fixes #1049