Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Feb 2019 07:33:22 +0000 (UTC)
From:      Bernard Spil <brnrd@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r494030 - head/security/vuxml
Message-ID:  <201902270733.x1R7XMi2097834@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: brnrd
Date: Wed Feb 27 07:33:22 2019
New Revision: 494030
URL: https://svnweb.freebsd.org/changeset/ports/494030

Log:
  security/vuxml: Update OpenSSL 1.0.2r entry

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Feb 27 07:23:49 2019	(r494029)
+++ head/security/vuxml/vuln.xml	Wed Feb 27 07:33:22 2019	(r494030)
@@ -229,18 +229,27 @@ Notes:
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">;
 	<p>The OpenSSL project reports:</p>
-	<blockquote cite="https://mta.openssl.org/pipermail/openssl-announce/2019-February/000145.html">;
-	  <p>OpenSSL 1.0.2r is a security-fix release. The highest severity
-	    issue fixed in this release is MODERATE</p>
+	<blockquote cite="https://www.openssl.org/news/secadv/20190226.txt">;
+	  <p>0-byte record padding oracle (CVE-2019-1559) (Moderate)<br/>
+	    If an application encounters a fatal protocol error and then calls
+	    SSL_shutdown() twice (once to send a close_notify, and once to receive
+	    one) then OpenSSL can respond differently to the calling application if
+	    a 0 byte record is received with invalid padding compared to if a 0 byte
+	    record is received with an invalid MAC. If the application then behaves
+	    differently based on that in a way that is detectable to the remote peer,
+	    then this amounts to a padding oracle that could be used to decrypt data.
+	    </p>
 	</blockquote>
       </body>
     </description>
     <references>
-      <url>https://mta.openssl.org/pipermail/openssl-announce/2019-February/000145.html</url>;
+      <url>https://www.openssl.org/news/secadv/20190226.txt</url>;
+      <cvename>CVE-2019-1559</cvename>
     </references>
     <dates>
       <discovery>2019-02-19</discovery>
       <entry>2019-02-20</entry>
+      <modified>2019-02-27</modified>
     </dates>
   </vuln>
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902270733.x1R7XMi2097834>