Slackware64-14.1 ChangeLog (2013-02-09)
Sat Feb 9 21:45:56 UTC 2013
Packages
Upgraded
- a/openssl-solibs-1.0.1d-x86_64-1.txz
(* Security fix *) - n/openssl-1.0.1d-x86_64-1.txz
Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
at: http://www.isg.rhul.ac.uk/tls/
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia Käsper for the initial patch.
(CVE-2013-0169)
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
ciphersuites which can be exploited in a denial of service attack.
Thanks go to and to Adam Langley agl@chromium.org for discovering
and detecting this bug and to Wolfgang Ettlinger
wolfgang.ettlinger@gmail.com for independently discovering this issue.
(CVE-2012-2686)
[Adam Langley]
Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
(* Security fix *)