[v2.3] openssl<1.0.0j: Invalid TLS/DTLS record attack (CVE-2012-2333) (#1152) · Issues · alpine / aports

[v2.3] openssl<1.0.0j: Invalid TLS/DTLS record attack (CVE-2012-2333)

OpenSSL Security Advisory [10 May 2012]

Invalid TLS/DTLS record attack (CVE-2012-2333)

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.

DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing
as a service testing platform.

The fix was developed by Stephen Henson of the OpenSSL core team.

Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x

References

URL for this Security Advisory:
http://www.openssl.org/news/secadv\_20120510.txt

(from redmine: issue id 1152, created on 2012-05-14, closed on 2012-05-17)

Changesets:
- Revision 8d888cd6 by Natanael Copa on 2012-05-14T12:49:20Z:

main/openssl: security upgrade to 1.0.0j (CVE-2012-2333)

fixes #1152

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information