1 |
type: security |
2 |
subject: Updated openssl packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2019-1559 |
5 |
src: |
6 |
6: |
7 |
core: |
8 |
- openssl-1.0.2r-1.mga6 |
9 |
description: | |
10 |
If an application encounters a fatal protocol error and then calls |
11 |
SSL_shutdown() twice (once to send a close_notify, and once to receive one) |
12 |
then OpenSSL can respond differently to the calling application if a 0 byte |
13 |
record is received with invalid padding compared to if a 0 byte record is |
14 |
received with an invalid MAC. If the application then behaves differently |
15 |
based on that in a way that is detectable to the remote peer, then this |
16 |
amounts to a padding oracle that could be used to decrypt data |
17 |
(CVE-2019-1559). |
18 |
references: |
19 |
- https://bugs.mageia.org/show_bug.cgi?id=24434 |
20 |
- https://www.openssl.org/news/secadv/20190226.txt |
21 |
ID: MGASA-2019-0106 |