Computer Security
[EN] securityvulns.ru no-pyccku


OpenSSL / PolarSSL / GnuTLS security vulnerabilities
updated since 14.02.2013
Published:02.03.2013
Source:
SecurityVulns ID:12887
Type:library
Threat Level:
6/10
Description:Timing attacks, DoS.
Affected:OPENSSL : OpenSSL 1.0
 POLARSSL : PolarSSL 1.2
 GNU : gnutls 2.12
CVE:CVE-2013-1622 (** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is not a security issue. Further investigation showed that, because of RFC noncompliance, no version or configuration of the product had the vulnerability previously associated with this ID. Notes: none.)
 CVE-2013-1621 (Array index error in the SSL module in PolarSSL before 1.2.5 might allow remote attackers to cause a denial of service via vectors involving a crafted padding-length value during validation of CBC padding in a TLS session, a different vulnerability than CVE-2013-0169.)
 CVE-2013-1619 (The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.)
 CVE-2013-0169 (The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.)
 CVE-2013-0166 (OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.)
Original documentdocumentUBUNTU, [USN-1752-1] GnuTLS vulnerability (02.03.2013)
 documentDEBIAN, [SECURITY] [DSA 2622-1] polarssl security update (14.02.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod