[Buildroot] [PATCH-2018.02] package/libopenssl: security bump to version 1.0.2r

Peter Korsgaard peter at korsgaard.com
Sun Mar 24 08:29:38 UTC 2019


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issue:
 > 0-byte record padding oracle (CVE-2019-1559)

 > If an application encounters a fatal protocol error and then calls
 > SSL_shutdown() twice (once to send a close_notify, and once to receive one)
 > then OpenSSL can respond differently to the calling application if a 0 byte
 > record is received with invalid padding compared to if a 0 byte record is
 > received with an invalid MAC.  If the application then behaves differently
 > based on that in a way that is detectable to the remote peer, then this
 > amounts to a padding oracle that could be used to decrypt data.

 > For more details, see the advisory:

 > https://mta.openssl.org/pipermail/openssl-announce/2019-February/000148.html

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2018.02.x and 2018.11.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list