Updated openssl packages fix security vulnerability
Publication date: 07 Mar 2019Modification date: 07 Mar 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2019-1559
Description
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data (CVE-2019-1559).
References
SRPMS
6/core
- openssl-1.0.2r-1.mga6