VYPR

rpm package

opensuse/openssl-1_1&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Tumbleweed

Vulnerabilities (157)

  • CVE-2012-2686Feb 8, 2013
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.

  • CVE-2012-4929Sep 15, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing

  • CVE-2012-2110Apr 19, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corrup

  • CVE-2012-1165Mar 15, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.

  • CVE-2012-0884Mar 13, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptiv

  • CVE-2006-7250Feb 29, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.

  • CVE-2012-0050Jan 19, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.

  • CVE-2012-0027Jan 6, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.

  • CVE-2011-4619Jan 6, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

  • CVE-2011-4577Jan 6, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (A

  • CVE-2011-4576Jan 6, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.

  • CVE-2011-4108Jan 6, 2012
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.

  • CVE-2011-3207Sep 22, 2011
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.

  • CVE-2011-0014Feb 19, 2011
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-b

  • CVE-2010-3864Nov 17, 2010
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow,

  • CVE-2010-2939Aug 17, 2010
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitr

  • CVE-2010-1633Jun 3, 2010
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obta

  • CVE-2010-0742Jun 3, 2010
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct do

  • CVE-2010-0740Mar 26, 2010
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of thes

  • CVE-2009-1387Jun 4, 2009
    affected < 1.1.1l-1.2fixed 1.1.1l-1.2

    The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."

Page 7 of 8