svn commit: r494030 - head/security/vuxml
Bernard Spil
brnrd at FreeBSD.org
Wed Feb 27 07:33:23 UTC 2019
Author: brnrd
Date: Wed Feb 27 07:33:22 2019
New Revision: 494030
URL: https://svnweb.freebsd.org/changeset/ports/494030
Log:
security/vuxml: Update OpenSSL 1.0.2r entry
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Wed Feb 27 07:23:49 2019 (r494029)
+++ head/security/vuxml/vuln.xml Wed Feb 27 07:33:22 2019 (r494030)
@@ -229,18 +229,27 @@ Notes:
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL project reports:</p>
- <blockquote cite="https://mta.openssl.org/pipermail/openssl-announce/2019-February/000145.html">
- <p>OpenSSL 1.0.2r is a security-fix release. The highest severity
- issue fixed in this release is MODERATE</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20190226.txt">
+ <p>0-byte record padding oracle (CVE-2019-1559) (Moderate)<br/>
+ If an application encounters a fatal protocol error and then calls
+ SSL_shutdown() twice (once to send a close_notify, and once to receive
+ one) then OpenSSL can respond differently to the calling application if
+ a 0 byte record is received with invalid padding compared to if a 0 byte
+ record is received with an invalid MAC. If the application then behaves
+ differently based on that in a way that is detectable to the remote peer,
+ then this amounts to a padding oracle that could be used to decrypt data.
+ </p>
</blockquote>
</body>
</description>
<references>
- <url>https://mta.openssl.org/pipermail/openssl-announce/2019-February/000145.html</url>
+ <url>https://www.openssl.org/news/secadv/20190226.txt</url>
+ <cvename>CVE-2019-1559</cvename>
</references>
<dates>
<discovery>2019-02-19</discovery>
<entry>2019-02-20</entry>
+ <modified>2019-02-27</modified>
</dates>
</vuln>
More information about the svn-ports-all
mailing list