Wind River Support Network

HomeDefectsLIN6-10961
Fixed

LIN6-10961 : Security Advisory - OpenSSL - CVE-2016-0704

Created: Feb 28, 2016    Updated: Dec 3, 2018
Resolved Date: Mar 1, 2016
Found In Version: 6.0
Fix Version: 6.0.0.30
Severity: Severe
Applicable for: Wind River Linux 6
Component/s: Userspace

Description

Note: This issue is corrected by the CVE-2015-0293 patch. 
No further patch will be issued for this CVE. 

Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
==============================================

Severity: Moderate

This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address the vulnerability CVE-2015-0293.

s2_srvr.c overwrite the wrong bytes in the master-key when applying
Bleichenbacher protection for export cipher suites.  This provides a
Bleichenbacher oracle, and could potentially allow more efficient variants of
the DROWN attack.

This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions.  It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).

This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan.  The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015.  The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).

Security Notices


Other Downloads


Live chat
Online