[v2.3] openssl: CMS and S/MIME Bleichenbacher attack (CVE-2012-0884)
OpenSSL Security Advisory [12 Mar 2012]
CMS and S/MIME Bleichenbacher attack (CVE-2012-0884)
A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher’s attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA).
Only users of CMS, PKCS #7, or S/MIME decryption operations are
affected. A
successful attack needs on average 2^20 messages. In practice only
automated
systems will be affected as humans will not be willing to process this
many
messages.
SSL/TLS applications are NOT affected by this problem since the
SSL/TLS code does not use the PKCS#7 or CMS decryption code.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com>for
discovering
this weakness.
The fix was developed by Stephen Henson of the OpenSSL core team.
Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u.
References
RFC3218
URL for this Security Advisory:
http://www.openssl.org/news/secadv\_20120312.txt
(from redmine: issue id 1048, created on 2012-03-13, closed on 2012-03-14)
- Changesets:
- Revision 785a954f by Natanael Copa on 2012-03-13T15:39:34Z:
main/openssl: security upgrade to 1.0.0h (CVE-2012-0884)
fixes #1048