openssl - multiple


Multiple vulnerabilities have been found in OpenSSL. The Common Vulnerabilities and Exposures project identifies the following issues: * [CVE-2012-0884](https://security-tracker.debian.org/tracker/CVE-2012-0884) Ivan Nestlerode discovered a weakness in the CMS and PKCS #7 implementations that could allow an attacker to decrypt data via a Million Message Attack (MMA). * [CVE-2012-1165](https://security-tracker.debian.org/tracker/CVE-2012-1165) It was discovered that a NULL pointer could be dereferenced when parsing certain S/MIME messages, leading to denial of service. * [CVE-2012-2110](https://security-tracker.debian.org/tracker/CVE-2012-2110) Tavis Ormandy, Google Security Team, discovered a vulnerability in the way DER-encoded ASN.1 data is parsed that can result in a heap overflow. Additionally, the fix for [CVE-2011-4619](https://security-tracker.debian.org/tracker/CVE-2011-4619) has been updated to address an issue with SGC handshakes. Tomas Hoger, Red Hat, discovered that the fix for [CVE-2012-2110](https://security-tracker.debian.org/tracker/CVE-2012-2110) for the 0.9.8 series of OpenSSL was incomplete. It has been assigned the [CVE-2012-2131](https://security-tracker.debian.org/tracker/CVE-2012-2131) identifier. For the stable distribution (squeeze), these problems have been fixed in version 0.9.8o-4squeeze12. For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.0.1a-1. We recommend that you upgrade your openssl packages.

Affected Software

CPE Name Name Version
openssl 0.9.8o-4squeeze3
openssl 0.9.8o-4
openssl 0.9.8o-4squeeze4~bpo50+1
openssl 0.9.8o-4squeeze9
openssl 0.9.8o-4squeeze4
openssl 0.9.8o-4squeeze1
openssl 0.9.8o-4squeeze2
openssl 0.9.8o-4squeeze8
openssl 0.9.8o-4squeeze5
openssl 0.9.8o-4squeeze7