[Buildroot] [PATCH-2018.02] package/libopenssl: security bump to version 1.0.2r
Peter Korsgaard
peter at korsgaard.com
Sun Mar 24 08:29:38 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issue:
> 0-byte record padding oracle (CVE-2019-1559)
> If an application encounters a fatal protocol error and then calls
> SSL_shutdown() twice (once to send a close_notify, and once to receive one)
> then OpenSSL can respond differently to the calling application if a 0 byte
> record is received with invalid padding compared to if a 0 byte record is
> received with an invalid MAC. If the application then behaves differently
> based on that in a way that is detectable to the remote peer, then this
> amounts to a padding oracle that could be used to decrypt data.
> For more details, see the advisory:
> https://mta.openssl.org/pipermail/openssl-announce/2019-February/000148.html
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2018.02.x and 2018.11.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list