ID CVE-2012-1165
Summary The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
References
Vulnerable Configurations
  • OpenSSL Project OpenSSL 0.9.1c
    cpe:2.3:a:openssl:openssl:0.9.1c
  • OpenSSL Project OpenSSL 0.9.2b
    cpe:2.3:a:openssl:openssl:0.9.2b
  • OpenSSL Project OpenSSL 0.9.3
    cpe:2.3:a:openssl:openssl:0.9.3
  • OpenSSL Project OpenSSL 0.9.3a
    cpe:2.3:a:openssl:openssl:0.9.3a
  • OpenSSL Project OpenSSL 0.9.4
    cpe:2.3:a:openssl:openssl:0.9.4
  • OpenSSL Project OpenSSL 0.9.5
    cpe:2.3:a:openssl:openssl:0.9.5
  • OpenSSL Project OpenSSL 0.9.5 Beta1
    cpe:2.3:a:openssl:openssl:0.9.5:beta1
  • OpenSSL Project OpenSSL 0.9.5 Beta2
    cpe:2.3:a:openssl:openssl:0.9.5:beta2
  • OpenSSL Project OpenSSL 0.9.5a
    cpe:2.3:a:openssl:openssl:0.9.5a
  • OpenSSL Project OpenSSL 0.9.5a Beta1
    cpe:2.3:a:openssl:openssl:0.9.5a:beta1
  • OpenSSL Project OpenSSL 0.9.5a Beta2
    cpe:2.3:a:openssl:openssl:0.9.5a:beta2
  • OpenSSL Project OpenSSL 0.9.6
    cpe:2.3:a:openssl:openssl:0.9.6
  • OpenSSL Project OpenSSL 0.9.6 Beta1
    cpe:2.3:a:openssl:openssl:0.9.6:beta1
  • OpenSSL Project OpenSSL 0.9.6 Beta2
    cpe:2.3:a:openssl:openssl:0.9.6:beta2
  • OpenSSL Project OpenSSL 0.9.6 Beta3
    cpe:2.3:a:openssl:openssl:0.9.6:beta3
  • OpenSSL Project OpenSSL 0.9.6a
    cpe:2.3:a:openssl:openssl:0.9.6a
  • OpenSSL Project OpenSSL 0.9.6a Beta1
    cpe:2.3:a:openssl:openssl:0.9.6a:beta1
  • OpenSSL Project OpenSSL 0.9.6a Beta2
    cpe:2.3:a:openssl:openssl:0.9.6a:beta2
  • OpenSSL Project OpenSSL 0.9.6a Beta3
    cpe:2.3:a:openssl:openssl:0.9.6a:beta3
  • OpenSSL Project OpenSSL 0.9.6b
    cpe:2.3:a:openssl:openssl:0.9.6b
  • OpenSSL Project OpenSSL 0.9.6c
    cpe:2.3:a:openssl:openssl:0.9.6c
  • OpenSSL Project OpenSSL 0.9.6d
    cpe:2.3:a:openssl:openssl:0.9.6d
  • OpenSSL Project OpenSSL 0.9.6e
    cpe:2.3:a:openssl:openssl:0.9.6e
  • OpenSSL Project OpenSSL 0.9.6f
    cpe:2.3:a:openssl:openssl:0.9.6f
  • OpenSSL Project OpenSSL 0.9.6g
    cpe:2.3:a:openssl:openssl:0.9.6g
  • OpenSSL Project OpenSSL 0.9.6h
    cpe:2.3:a:openssl:openssl:0.9.6h
  • OpenSSL Project OpenSSL 0.9.6i
    cpe:2.3:a:openssl:openssl:0.9.6i
  • OpenSSL Project OpenSSL 0.9.6j
    cpe:2.3:a:openssl:openssl:0.9.6j
  • OpenSSL Project OpenSSL 0.9.6k
    cpe:2.3:a:openssl:openssl:0.9.6k
  • OpenSSL Project OpenSSL 0.9.6l
    cpe:2.3:a:openssl:openssl:0.9.6l
  • OpenSSL Project OpenSSL 0.9.6m
    cpe:2.3:a:openssl:openssl:0.9.6m
  • OpenSSL Project OpenSSL 0.9.7
    cpe:2.3:a:openssl:openssl:0.9.7
  • OpenSSL Project OpenSSL 0.9.7 beta1
    cpe:2.3:a:openssl:openssl:0.9.7:beta1
  • OpenSSL Project OpenSSL 0.9.7 beta2
    cpe:2.3:a:openssl:openssl:0.9.7:beta2
  • OpenSSL Project OpenSSL 0.9.7 beta3
    cpe:2.3:a:openssl:openssl:0.9.7:beta3
  • OpenSSL Project OpenSSL 0.9.7 Beta4
    cpe:2.3:a:openssl:openssl:0.9.7:beta4
  • OpenSSL Project OpenSSL 0.9.7 Beta5
    cpe:2.3:a:openssl:openssl:0.9.7:beta5
  • OpenSSL Project OpenSSL 0.9.7 Beta6
    cpe:2.3:a:openssl:openssl:0.9.7:beta6
  • OpenSSL Project OpenSSL 0.9.7a
    cpe:2.3:a:openssl:openssl:0.9.7a
  • OpenSSL Project OpenSSL 0.9.7b
    cpe:2.3:a:openssl:openssl:0.9.7b
  • OpenSSL Project OpenSSL 0.9.7c
    cpe:2.3:a:openssl:openssl:0.9.7c
  • OpenSSL Project OpenSSL 0.9.7d
    cpe:2.3:a:openssl:openssl:0.9.7d
  • OpenSSL Project OpenSSL 0.9.7e
    cpe:2.3:a:openssl:openssl:0.9.7e
  • OpenSSL Project OpenSSL 0.9.7f
    cpe:2.3:a:openssl:openssl:0.9.7f
  • OpenSSL Project OpenSSL 0.9.7g
    cpe:2.3:a:openssl:openssl:0.9.7g
  • OpenSSL Project OpenSSL 0.9.7h
    cpe:2.3:a:openssl:openssl:0.9.7h
  • OpenSSL Project OpenSSL 0.9.7i
    cpe:2.3:a:openssl:openssl:0.9.7i
  • OpenSSL Project OpenSSL 0.9.7j
    cpe:2.3:a:openssl:openssl:0.9.7j
  • OpenSSL Project OpenSSL 0.9.7k
    cpe:2.3:a:openssl:openssl:0.9.7k
  • OpenSSL Project OpenSSL 0.9.7l
    cpe:2.3:a:openssl:openssl:0.9.7l
  • OpenSSL Project OpenSSL 0.9.7m
    cpe:2.3:a:openssl:openssl:0.9.7m
  • OpenSSL Project OpenSSL 0.9.8
    cpe:2.3:a:openssl:openssl:0.9.8
  • OpenSSL Project OpenSSL 0.9.8a
    cpe:2.3:a:openssl:openssl:0.9.8a
  • OpenSSL Project OpenSSL 0.9.8b
    cpe:2.3:a:openssl:openssl:0.9.8b
  • OpenSSL Project OpenSSL 0.9.8c
    cpe:2.3:a:openssl:openssl:0.9.8c
  • OpenSSL Project OpenSSL 0.9.8d
    cpe:2.3:a:openssl:openssl:0.9.8d
  • OpenSSL Project OpenSSL 0.9.8e
    cpe:2.3:a:openssl:openssl:0.9.8e
  • OpenSSL Project OpenSSL 0.9.8f
    cpe:2.3:a:openssl:openssl:0.9.8f
  • OpenSSL Project OpenSSL 0.9.8g
    cpe:2.3:a:openssl:openssl:0.9.8g
  • OpenSSL Project OpenSSL 0.9.8h
    cpe:2.3:a:openssl:openssl:0.9.8h
  • OpenSSL Project OpenSSL 0.9.8i
    cpe:2.3:a:openssl:openssl:0.9.8i
  • OpenSSL Project OpenSSL 0.9.8j
    cpe:2.3:a:openssl:openssl:0.9.8j
  • OpenSSL Project OpenSSL 0.9.8k
    cpe:2.3:a:openssl:openssl:0.9.8k
  • OpenSSL Project OpenSSL 0.9.8l
    cpe:2.3:a:openssl:openssl:0.9.8l
  • OpenSSL Project OpenSSL 0.9.8m
    cpe:2.3:a:openssl:openssl:0.9.8m
  • OpenSSL Project OpenSSL 0.9.8m Beta1
    cpe:2.3:a:openssl:openssl:0.9.8m:beta1
  • OpenSSL Project OpenSSL 0.9.8n
    cpe:2.3:a:openssl:openssl:0.9.8n
  • OpenSSL Project OpenSSL 0.9.8o
    cpe:2.3:a:openssl:openssl:0.9.8o
  • OpenSSL Project OpenSSL 0.9.8p
    cpe:2.3:a:openssl:openssl:0.9.8p
  • OpenSSL Project OpenSSL 0.9.8q
    cpe:2.3:a:openssl:openssl:0.9.8q
  • OpenSSL Project OpenSSL 0.9.8r
    cpe:2.3:a:openssl:openssl:0.9.8r
  • OpenSSL Project OpenSSL 0.9.8s
    cpe:2.3:a:openssl:openssl:0.9.8s
  • OpenSSL Project OpenSSL 0.9.8t
    cpe:2.3:a:openssl:openssl:0.9.8t
  • OpenSSL Project OpenSSL 1.0.0
    cpe:2.3:a:openssl:openssl:1.0.0
  • OpenSSL Project OpenSSL 1.0.0 Beta1
    cpe:2.3:a:openssl:openssl:1.0.0:beta1
  • OpenSSL Project OpenSSL 1.0.0 Beta2
    cpe:2.3:a:openssl:openssl:1.0.0:beta2
  • OpenSSL Project OpenSSL 1.0.0 Beta3
    cpe:2.3:a:openssl:openssl:1.0.0:beta3
  • OpenSSL Project OpenSSL 1.0.0 Beta4
    cpe:2.3:a:openssl:openssl:1.0.0:beta4
  • OpenSSL Project OpenSSL 1.0.0 Beta5
    cpe:2.3:a:openssl:openssl:1.0.0:beta5
  • OpenSSL Project OpenSSL 1.0.0a
    cpe:2.3:a:openssl:openssl:1.0.0a
  • OpenSSL Project OpenSSL 1.0.0b
    cpe:2.3:a:openssl:openssl:1.0.0b
  • OpenSSL Project OpenSSL 1.0.0c
    cpe:2.3:a:openssl:openssl:1.0.0c
  • OpenSSL Project OpenSSL 1.0.0d
    cpe:2.3:a:openssl:openssl:1.0.0d
  • OpenSSL Project OpenSSL 1.0.0e
    cpe:2.3:a:openssl:openssl:1.0.0e
  • OpenSSL Project OpenSSL 1.0.0f
    cpe:2.3:a:openssl:openssl:1.0.0f
  • OpenSSL Project OpenSSL 1.0.0g
    cpe:2.3:a:openssl:openssl:1.0.0g
CVSS
Base: 5.0 (as of 16-03-2012 - 09:04)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-210.NASL
    description Changes in openssl : - S/MIME verification may erroneously fail - Free headers after use in error message - Symmetric crypto errors in PKCS7_decrypt
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 74590
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74590
    title openSUSE Security Update : openssl (openSUSE-SU-2012:0474-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSL-8034.NASL
    description The following security issue has been fixed : - Specially crafted MIME headers could cause OpenSSL's ans1 parser to dereference a NULL pointer leading to a Denial of Service (CVE-2006-7250) or fail verfication. (CVE-2012-1165) Additionally, two other bugs have been fixed : - free() headers after use in error message. (bnc#749213) - symmetric crypto errors in PKCS7_decrypt. (bnc#749210)
    last seen 2019-02-21
    modified 2012-06-14
    plugin id 58679
    published 2012-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58679
    title SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 8034)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-153.NASL
    description openssl was updated to 1.0.0k security release to fix bugs and security issues. (bnc#802648 bnc#802746) The version was upgraded to avoid backporting the large fixes for SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) OCSP invalid key DoS issue (CVE-2013-0166) Also the following bugfix was included: bnc#757773 - c_rehash to accept more filename extensions
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74901
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74901
    title openSUSE Security Update : openssl (openSUSE-SU-2013:0336-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0488.NASL
    description An updated rhev-hypervisor5 package that fixes three security issues and one bug is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor5 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way libtasn1 decoded DER data. An attacker could create a carefully-crafted X.509 certificate that, when parsed by an application that uses GnuTLS, could cause the application to crash. (CVE-2012-1569) A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially crafted TLS record from a remote TLS/SSL connection peer. (CVE-2012-1573) An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-0864) Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting CVE-2012-1569 and CVE-2012-1573. This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2011-4128 (gnutls issue) CVE-2012-1583 (kernel issue) CVE-2011-3045 (libpng issue) CVE-2012-0884 and CVE-2012-1165 (openssl issues) Further information on the changes made to the package is available on the relevant errata : https://rhn.redhat.com/errata/RHBA-2012-0398.html Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which fixes these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 79286
    published 2014-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79286
    title RHEL 5 : rhev-hypervisor5 (RHSA-2012:0488)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0531.NASL
    description An updated rhev-hypervisor6 package that fixes three security issues and one bug is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way libtasn1 decoded DER data. An attacker could create carefully-crafted DER encoded input (such as an X.509 certificate) that, when parsed by an application that uses libtasn1 (such as applications using GnuTLS), could cause the application to crash. (CVE-2012-1569) A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially crafted TLS record from a remote TLS/SSL connection peer. (CVE-2012-1573) An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-0864) Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting CVE-2012-1569 and CVE-2012-1573. This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2011-4128 (gnutls issue) CVE-2012-0879, CVE-2012-1090, and CVE-2012-1097 (kernel issues) CVE-2012-0884 and CVE-2012-1165 (openssl issues) CVE-2012-0060, CVE-2012-0061, and CVE-2012-0815 (rpm issues) This update also fixes the following bug : * The Hypervisor previously set the lro_disable option for the enic driver. The driver does not support this option, as a result the Hypervisor did not correctly detect and configure the network interfaces of a Cisco M81KR adaptor, when present. The Hypervisor has been updated and no longer sets the invalid option for this driver. (BZ#809463) Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which fixes these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 78922
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78922
    title RHEL 6 : rhev-hypervisor6 (RHSA-2012:0531)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0007.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix for CVE-2014-0224 - SSL/TLS MITM vulnerability - replace expired GlobalSign Root CA certificate in ca-bundle.crt - fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589) - fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052) - enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB environment variable is set (fixes CVE-2012-4929 #857051) - use __secure_getenv everywhere instead of getenv (#839735) - fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686) - fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio (#814185) - fix problem with the SGC restart patch that might terminate handshake incorrectly - fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725) - fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489) - fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery vulnerability and additional DTLS fixes (#771770) - fix for CVE-2011-4109 - double free in policy checks (#771771) - fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775) - fix for CVE-2011-4619 - SGC restart DoS attack (#771780) - add known answer test for SHA2 algorithms (#740866) - make default private key length in certificate Makefile 2048 bits (can be changed with PRIVATE_KEY_BITS setting) (#745410) - fix incorrect return value in parse_yesno (#726593) - added DigiCert CA certificates to ca-bundle (#735819) - added a new section about error states to README.FIPS (#628976) - add missing DH_check_pub_key call when DH key is computed (#698175) - presort list of ciphers available in SSL (#688901) - accept connection in s_server even if getaddrinfo fails (#561260) - point to openssl dgst for list of supported digests (#608639) - fix handling of future TLS versions (#599112) - added VeriSign Class 3 Public Primary Certification Authority - G5 and StartCom Certification Authority certs to ca-bundle (#675671, #617856) - upstream fixes for the CHIL engine (#622003, #671484) - add SHA-2 hashes in SSL_library_init (#676384) - fix CVE-2010-4180 - completely disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462) - fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924) - fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which in the RHEL-5 and newer versions will crash in such case (#569774) - fix CVE-2009-3555 - support the safe renegotiation extension and do not allow legacy renegotiation on the server by default (#533125) - fix CVE-2009-2409 - drop MD2 algorithm from EVP tables (#510197) - fix CVE-2009-4355 - do not leak memory when CRYPTO_cleanup_all_ex_data is called prematurely by application (#546707)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 79531
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79531
    title OracleVM 2.2 : openssl (OVMSA-2014-0007)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1424-1.NASL
    description It was discovered that OpenSSL could be made to dereference a NULL pointer when processing S/MIME messages. A remote attacker could use this to cause a denial of service. These issues did not affect Ubuntu 8.04 LTS. (CVE-2006-7250, CVE-2012-1165) Tavis Ormandy discovered that OpenSSL did not properly perform bounds checking when processing DER data via BIO or FILE functions. A remote attacker could trigger this flaw in services that used SSL to cause a denial of service or possibly execute arbitrary code with application privileges. (CVE-2012-2110). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 58808
    published 2012-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58808
    title Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 : openssl vulnerabilities (USN-1424-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0008.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix for CVE-2014-0224 - SSL/TLS MITM vulnerability - replace expired GlobalSign Root CA certificate in ca-bundle.crt - fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589) - fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052) - enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB environment variable is set (fixes CVE-2012-4929 #857051) - use __secure_getenv everywhere instead of getenv (#839735) - fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686) - fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio (#814185) - fix problem with the SGC restart patch that might terminate handshake incorrectly - fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725) - fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489) - fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery vulnerability and additional DTLS fixes (#771770) - fix for CVE-2011-4109 - double free in policy checks (#771771) - fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775) - fix for CVE-2011-4619 - SGC restart DoS attack (#771780) - add known answer test for SHA2 algorithms (#740866) - make default private key length in certificate Makefile 2048 bits (can be changed with PRIVATE_KEY_BITS setting) (#745410) - fix incorrect return value in parse_yesno (#726593) - added DigiCert CA certificates to ca-bundle (#735819) - added a new section about error states to README.FIPS (#628976) - add missing DH_check_pub_key call when DH key is computed (#698175) - presort list of ciphers available in SSL (#688901) - accept connection in s_server even if getaddrinfo fails (#561260) - point to openssl dgst for list of supported digests (#608639) - fix handling of future TLS versions (#599112) - added VeriSign Class 3 Public Primary Certification Authority - G5 and StartCom Certification Authority certs to ca-bundle (#675671, #617856) - upstream fixes for the CHIL engine (#622003, #671484) - add SHA-2 hashes in SSL_library_init (#676384) - fix CVE-2010-4180 - completely disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462) - fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924) - fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which in the RHEL-5 and newer versions will crash in such case (#569774) - fix CVE-2009-3555 - support the safe renegotiation extension and do not allow legacy renegotiation on the server by default (#533125) - fix CVE-2009-2409 - drop MD2 algorithm from EVP tables (#510197) - fix CVE-2009-4355 - do not leak memory when CRYPTO_cleanup_all_ex_data is called prematurely by application (#546707)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 79532
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79532
    title OracleVM 3.2 : onpenssl (OVMSA-2014-0008)
  • NASL family Web Servers
    NASL id HPSMH_7_1_1_1.NASL
    description According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.1.1 and is, therefore, reportedly affected by the following vulnerabilities : - The bundled version of the libxml2 library contains multiple vulnerabilities. (CVE-2011-1944, CVE-2011-2821, CVE-2011-2834) - The bundled version of PHP contains multiple vulnerabilities. (CVE-2011-3379, CVE-2011-4153, CVE-2011-4885, CVE-2012-1823, CVE-2012-0057, CVE-2012-0830) - The bundled version of the Apache HTTP Server contains multiple vulnerabilities. (CVE-2011-3607, CVE-2011-4317, CVE-2011-4415, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053) - An issue exists in the 'include/iniset.php' script in the embedded RoundCube Webmail version that could lead to a denial of service. (CVE-2011-4078) - The bundled version of OpenSSL contains multiple vulnerabilities. (CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2012-1165) - The bundled version of curl and libcurl does not properly consider special characters during extraction of a pathname from a URL. (CVE-2012-0036) - An off autocomplete attribute does not exist for unspecified form fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. (CVE-2012-2012) - An unspecified vulnerability exists that could allow a remote attacker to cause a denial of service, or possibly obtain sensitive information or modify data. (CVE-2012-2013) - An unspecified vulnerability exists related to improper input validation. (CVE-2012-2014) - An unspecified vulnerability allows remote, unauthenticated users to gain privileges and obtain sensitive information. (CVE-2012-2015) - An unspecified vulnerability allows local users to obtain sensitive information via unknown vectors. (CVE-2012-2016)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 59851
    published 2012-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59851
    title HP System Management Homepage < 7.1.1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBOPENSSL-DEVEL-120327.NASL
    description The following security issues have been fixed : - Specially crafted MIME headers could cause openssl's ans1 parser to dereference a NULL pointer leading to a Denial of Service (CVE-2006-7250) or fail verfication. (CVE-2012-1165) - The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL was vulnerable to a Million Message Attack (MMA) adaptive chosen ciphertext attack. (CVE-2012-0884) Additionally, the following issues have been fixed : - Free headers after use in error message. (bnc#749213) - Symmetric crypto errors in PKCS7_decrypt. (bnc#749210) - Memory leak when creating public keys. (bnc#749735)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 58677
    published 2012-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58677
    title SuSE 11.1 Security Update : OpenSSL (SAT Patch Number 6054)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-0426.NASL
    description Updated openssl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. (CVE-2012-1165) A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. (CVE-2012-0884) This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail. All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 58502
    published 2012-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58502
    title CentOS 5 / 6 : openssl (CESA-2012:0426)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-4665.NASL
    description This minor update from upstream fixes two security vulnerabilities with moderate and low impact. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 58669
    published 2012-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58669
    title Fedora 16 : openssl-1.0.0h-1.fc16 (2012-4665)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-4630.NASL
    description This minor update from upstream fixes two security vulnerabilities with moderate and low impact. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 58697
    published 2012-04-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58697
    title Fedora 17 : openssl-1.0.0h-1.fc17 (2012-4630)
  • NASL family AIX Local Security Checks
    NASL id AIX_OPENSSL_ADVISORY4.NASL
    description The version of OpenSSL running on the remote host is affected by the following vulnerabilities : - The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. (CVE-2012-0884) - The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. (CVE-2012-1165) - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. (CVE-2012-2110) - Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110. (CVE-2012-2131) - Integer underflow in OpenSSL when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over- read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. (CVE-2012-2333)
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 73562
    published 2014-04-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73562
    title AIX OpenSSL Advisory : openssl_advisory4.asc
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120327_OPENSSL_ON_SL5_X.NASL
    description OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. (CVE-2012-1165) A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. (CVE-2012-0884) This update also fixes a regression caused by the fix for CVE-2011-4619, released in a previous update, which caused Server Gated Cryptography (SGC) handshakes to fail. All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61293
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61293
    title Scientific Linux Security Update : openssl on SL5.x, SL6.x i386/x86_64
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201312-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201312-03 (OpenSSL: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details. Impact : Remote attackers can determine private keys, decrypt data, cause a Denial of Service or possibly have other unspecified impact. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 71169
    published 2013-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71169
    title GLSA-201312-03 : OpenSSL: Multiple Vulnerabilities
  • NASL family Web Servers
    NASL id OPENSSL_0_9_8U.NASL
    description According to its banner, the remote web server uses an OpenSSL version prior to 0.9.8u. As such, it is reportedly affected by the following vulnerabilities : - An error exists in the function 'mime_hdr_cmp' that could allow a NULL pointer to be dereferenced when parsing certain MIME headers. (CVE-2006-7250) - The fix for CVE-2011-4619 was not complete. - An error exists in the Cryptographic Message Syntax (CMS) and PKCS #7 implementation such that data can be decrypted using Million Message Attack (MMA) adaptive chosen cipher text attack. (CVE-2012-0884) - An error exists in the function 'mime_param_cmp' in the file 'crypto/asn1/asn_mime.c' that can allow a NULL pointer to be dereferenced when handling certain S/MIME content. (CVE-2012-1165) Note that SSL/TLS applications are not necessarily affected, but those using CMS, PKCS #7 and S/MIME decryption operations are.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 58564
    published 2012-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58564
    title OpenSSL < 0.9.8u Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-18035.NASL
    description Update to 1.0.1c and synced all patches with Fedora openssl-1.0.1c-7.fc19 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 63031
    published 2012-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63031
    title Fedora 18 : mingw-openssl-1.0.1c-1.fc18 (2012-18035)
  • NASL family Web Servers
    NASL id OPENSSL_1_0_0H.NASL
    description According to its banner, the remote web server is running OpenSSL version 1.0.0 prior to version 1.0.0h. As such, it reportedly is affected by the following vulnerabilities : - An error exists in the function 'mime_hdr_cmp' that could allow a NULL pointer to be dereferenced when parsing certain MIME headers. (CVE-2006-7250) - The fix for CVE-2011-4619 was not complete. - An error exists in the Cryptographic Message Syntax (CMS) and PKCS #7 implementation such that data can be decrypted using Million Message Attack (MMA) adaptive chosen cipher text attack. (CVE-2012-0884) - An error exists in the function 'mime_param_cmp' in the file 'crypto/asn1/asn_mime.c' that can allow a NULL pointer to be dereferenced when handling certain S/MIME content. (CVE-2012-1165) Note that SSL/TLS applications are not necessarily affected, but those using CMS, PKCS #7 and S/MIME decryption operations are.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 58565
    published 2012-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58565
    title OpenSSL 1.0.0 < 1.0.0h Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBOPENSSL-DEVEL-120328.NASL
    description The following security issues have been fixed : - Specially crafted MIME headers could cause openssl's ans1 parser to dereference a NULL pointer leading to a Denial of Service (CVE-2006-7250) or fail verfication. (CVE-2012-1165) - The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL was vulnerable to a Million Message Attack (MMA) adaptive chosen ciphertext attack. (CVE-2012-0884) Additionally, the following issues have been fixed : - Free headers after use in error message. (bnc#749213) - Symmetric crypto errors in PKCS7_decrypt. (bnc#749210) - Memory leak when creating public keys. (bnc#749735)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 58678
    published 2012-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58678
    title SuSE 11.1 Security Update : OpenSSL (SAT Patch Number 6054)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-4659.NASL
    description This minor update from upstream fixes two security vulnerabilities with moderate and low impact. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 58699
    published 2012-04-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58699
    title Fedora 15 : openssl-1.0.0h-1.fc15 (2012-4659)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2454.NASL
    description Multiple vulnerabilities have been found in OpenSSL. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2012-0884 Ivan Nestlerode discovered a weakness in the CMS and PKCS #7 implementations that could allow an attacker to decrypt data via a Million Message Attack (MMA). - CVE-2012-1165 It was discovered that a NULL pointer could be dereferenced when parsing certain S/MIME messages, leading to denial of service. - CVE-2012-2110 Tavis Ormandy, Google Security Team, discovered a vulnerability in the way DER-encoded ASN.1 data is parsed that can result in a heap overflow. Additionally, the fix for CVE-2011-4619 has been updated to address an issue with SGC handshakes. Tomas Hoger, Red Hat, discovered that the fix for CVE-2012-2110 for the 0.9.8 series of OpenSSL was incomplete. It has been assigned the CVE-2012-2131 identifier.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 58804
    published 2012-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58804
    title Debian DSA-2454-2 : openssl - multiple vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2012-62.NASL
    description A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. (CVE-2012-1165) A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. (CVE-2012-0884)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69669
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69669
    title Amazon Linux AMI : openssl (ALAS-2012-62)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0426.NASL
    description Updated openssl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. (CVE-2012-1165) A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. (CVE-2012-0884) This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail. All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 58507
    published 2012-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58507
    title RHEL 5 / 6 : openssl (RHSA-2012:0426)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2012-038.NASL
    description Multiple vulnerabilities has been found and corrected in openssl : The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack (CVE-2012-0884). The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250 (CVE-2012-1165). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 58490
    published 2012-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58490
    title Mandriva Linux Security Advisory : openssl (MDVSA-2012:038)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0426.NASL
    description From Red Hat Security Advisory 2012:0426 : Updated openssl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. (CVE-2012-1165) A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. (CVE-2012-0884) This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail. All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68501
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68501
    title Oracle Linux 5 / 6 : openssl (ELSA-2012-0426)
redhat via4
advisories
  • bugzilla
    id 802725
    title CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhsa:tst:20100842001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhsa:tst:20100842002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20100842003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20100842004
      • OR
        • AND
          • comment openssl is earlier than 0:1.0.0-20.el6_2.3
            oval oval:com.redhat.rhsa:tst:20120426005
          • comment openssl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100888006
        • AND
          • comment openssl-devel is earlier than 0:1.0.0-20.el6_2.3
            oval oval:com.redhat.rhsa:tst:20120426009
          • comment openssl-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100888012
        • AND
          • comment openssl-perl is earlier than 0:1.0.0-20.el6_2.3
            oval oval:com.redhat.rhsa:tst:20120426011
          • comment openssl-perl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100888008
        • AND
          • comment openssl-static is earlier than 0:1.0.0-20.el6_2.3
            oval oval:com.redhat.rhsa:tst:20120426007
          • comment openssl-static is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100888010
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • OR
        • AND
          • comment openssl is earlier than 0:0.9.8e-22.el5_8.1
            oval oval:com.redhat.rhsa:tst:20120426014
          • comment openssl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070964003
        • AND
          • comment openssl-devel is earlier than 0:0.9.8e-22.el5_8.1
            oval oval:com.redhat.rhsa:tst:20120426016
          • comment openssl-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070964005
        • AND
          • comment openssl-perl is earlier than 0:0.9.8e-22.el5_8.1
            oval oval:com.redhat.rhsa:tst:20120426018
          • comment openssl-perl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070964007
    rhsa
    id RHSA-2012:0426
    released 2012-03-27
    severity Moderate
    title RHSA-2012:0426: openssl security and bug fix update (Moderate)
  • rhsa
    id RHSA-2012:0488
  • rhsa
    id RHSA-2012:0531
  • rhsa
    id RHSA-2012:1306
  • rhsa
    id RHSA-2012:1307
  • rhsa
    id RHSA-2012:1308
rpms
  • openssl-0:1.0.0-20.el6_2.3
  • openssl-devel-0:1.0.0-20.el6_2.3
  • openssl-perl-0:1.0.0-20.el6_2.3
  • openssl-static-0:1.0.0-20.el6_2.3
  • openssl-0:0.9.8e-22.el5_8.1
  • openssl-devel-0:0.9.8e-22.el5_8.1
  • openssl-perl-0:0.9.8e-22.el5_8.1
refmap via4
bid 52764
confirm
debian DSA-2454
fedora
  • FEDORA-2012-18035
  • FEDORA-2012-4630
  • FEDORA-2012-4659
  • FEDORA-2012-4665
hp
  • HPSBMU02786
  • HPSBOV02793
  • HPSBUX02782
  • SSRT100844
  • SSRT100877
  • SSRT100891
mlist [oss-security] 20120312 Re: CVE request: openssl: null pointer dereference issue
sectrack 1026787
secunia
  • 48580
  • 48895
  • 48899
ubuntu USN-1424-1
Last major update 22-08-2016 - 22:05
Published 15-03-2012 - 13:55
Last modified 12-01-2018 - 21:29
Back to Top