Advisory ROSA-SA-2021-1939

Software: openssl 1.0.2k
OS: Cobalt 7.9

CVE-ID: CVE-2011-4108
CVE-Crit: CRITICAL
CVE-DESC: The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs MAC checks only if a certain fill-in is allowed, making it easy for remote attackers to recover plaintext using a fill-in oracle attack.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2011-4576
CVE-Crit: MEDIUM
CVE-DESC: The SSL 3.0 implementation of SSL in OpenSSL before 0.9.8s and 1.x before 1.0.0f improperly initializes data structures for block cipher fills, which may allow remote attackers to obtain sensitive information by decrypting the fill data sent by the SSL Peer Node.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2011-4577
CVE-Crit: MEDIUM
CVE-DESC: OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing associated certificate extension data. with (1) IP address blocks or (2) Autonomous System (AS) identifiers.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2011-4619
CVE-Crit: MEDIUM
CVE-DESC: Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f incorrectly handles handshake restarts, allowing remote attackers to cause denial of service (CPU consumption) via undefined vectors .
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-10931
CVE-Crit: HIGH
CVE-DESC: An issue has been discovered in the openssl box before version 0.9.0 for Rust. There is a SSL / TLS “man in the middle” vulnerability because certificate validation is disabled by default and there is no hostname validation API.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-7798
CVE-Crit: HIGH
CVE-DESC: openssl gem for Ruby uses the same initialization vector (IV) in GCM mode (aes - * - gcm) when the IV is set before the key, making it easier for context-dependent attackers to bypass encryption protections. mechanism.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-16395
CVE-Crit: CRITICAL.
CVE-DESC: A problem was found in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL :: X509 :: Name objects are compared using ==, depending on the order, unequal objects may return true. When the first argument is one character longer than the second argument, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This can be used to create an illegal certificate that can be accepted as legitimate and then used in signature or encryption operations.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20997
CVE-Crit: CRITICAL.
CVE-DESC: An issue was discovered in the openssl crate before version 0.10.9 for Rust. Post-release usage occurs in CMS Signing.
CVE-STATUS: default
CVE-REV: default