MGASA-2016-0169

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0169.html

Import Source

https://advisories.mageia.org/MGASA-2016-0169.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2016-0169

Related

Published

2016-05-07T21:22:48Z

Modified

2016-05-07T21:16:35Z

Summary

Updated openssl packages fix security vulnerability

Details

An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption (CVE-2016-2105).

An overflow can occur in the EVPEncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption (CVE-2016-2106).

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI (CVE-2016-2107).

When ASN.1 data is read from a BIO using functions such as d2iCMSbio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory (CVE-2016-2109)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / openssl

Package

Name: openssl
Purl: pkg:rpm/mageia/openssl?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.2h-1.mga5

Ecosystem specific

{
    "section": "core"
}