Advisories ยป MGASA-2019-0106

Updated openssl packages fix security vulnerability

Publication date: 07 Mar 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2019-1559


If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently
based on that in a way that is detectable to the remote peer, then this
amounts to a padding oracle that could be used to decrypt data