MNBSD-2012-0: Multiple OpenSSL vulnerabilities (info leak, DoS, double-free, MMA, ASN.1 memory corruption)

Severity: Unknown

Affected Package: openssl

Summary: Multiple OpenSSL vulnerabilities (info leak, DoS, double-free, MMA, ASN.1 memory corruption)

Description

OpenSSL fails to clear bytes used as SSL 3.0 block-cipher padding, leaking up to 15 bytes of uninitialized (possibly sensitive) memory per record. SGC handshake restart handling enables a denial of service, X509 policy checking can trigger a double-free, the PKCS#7 code is vulnerable to Bleichenbacher's million-message attack, and asn1_d2i_read_bio() contains integer errors causing memory corruption when parsing untrusted ASN.1 data such as X.509 certificates or RSA public keys.

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109, CVE-2012-0884, CVE-2012-2110

Published: May 03, 2012
Last Modified: May 03, 2012