advisories/24434.adv

type: security
subject: Updated openssl packages fix security vulnerability
CVE:
 - CVE-2019-1559
src:
  6:
   core:
     - openssl-1.0.2r-1.mga6
description: |
  If an application encounters a fatal protocol error and then calls
  SSL_shutdown() twice (once to send a close_notify, and once to receive one)
  then OpenSSL can respond differently to the calling application if a 0 byte
  record is received with invalid padding compared to if a 0 byte record is
  received with an invalid MAC. If the application then behaves differently
  based on that in a way that is detectable to the remote peer, then this
  amounts to a padding oracle that could be used to decrypt data
  (CVE-2019-1559).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=24434
 - https://www.openssl.org/news/secadv/20190226.txt
ID: MGASA-2019-0106
1	type: security
2	subject: Updated openssl packages fix security vulnerability
3	CVE:
4	- CVE-2019-1559
5	src:
6	6:
7	core:
8	- openssl-1.0.2r-1.mga6
9	description: \|
10	If an application encounters a fatal protocol error and then calls
11	SSL_shutdown() twice (once to send a close_notify, and once to receive one)
12	then OpenSSL can respond differently to the calling application if a 0 byte
13	record is received with invalid padding compared to if a 0 byte record is
14	received with an invalid MAC. If the application then behaves differently
15	based on that in a way that is detectable to the remote peer, then this
16	amounts to a padding oracle that could be used to decrypt data
17	(CVE-2019-1559).
18	references:
19	- https://bugs.mageia.org/show_bug.cgi?id=24434
20	- https://www.openssl.org/news/secadv/20190226.txt
21	ID: MGASA-2019-0106