FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2013-0169

This CVE name corresponds to:

Entered Topic
2013-04-02 FreeBSD -- OpenSSL multiple vulnerabilities
2013-02-06 OpenSSL -- TLS 1.1, 1.2 denial of service

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2013-0169
Phase Assigned(20121206)

Description

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

References

Source Reference
MLIST [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations
MISC http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
MISC http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
CONFIRM http://www.matrixssl.org/news.html
CONFIRM http://www.openssl.org/news/secadv_20130204.txt
CONFIRM https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
CONFIRM http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21644047
CONFIRM http://support.apple.com/kb/HT5880
CONFIRM http://www.splunk.com/view/SP-CAAAHXG
CONFIRM https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084
APPLE APPLE-SA-2013-09-12-1
DEBIAN DSA-2621
DEBIAN DSA-2622
FEDORA FEDORA-2013-4403
GENTOO GLSA-201406-32
HP HPSBUX02856
HP SSRT101104
HP HPSBMU02874
HP HPSBUX02857
HP SSRT101103
HP SSRT101184
HP HPSBUX02909
HP SSRT101289
MANDRIVA MDVSA-2013:095
REDHAT RHSA-2013:0587
REDHAT RHSA-2013:0782
REDHAT RHSA-2013:0783
REDHAT RHSA-2013:1455
REDHAT RHSA-2013:1456
REDHAT RHSA-2013:0833
SUSE SUSE-SU-2013:0328
SUSE openSUSE-SU-2013:0375
SUSE openSUSE-SU-2013:0378
SUSE SUSE-SU-2013:0701
SUSE SUSE-SU-2014:0320
SUSE SUSE-SU-2015:0578
UBUNTU USN-1735-1
CERT TA13-051A
CERT-VN VU#737740
OVAL oval:org.mitre.oval:def:19016
OVAL oval:org.mitre.oval:def:18841
OVAL oval:org.mitre.oval:def:19424
OVAL oval:org.mitre.oval:def:19540
OVAL oval:org.mitre.oval:def:19608
SECTRACK 1029190
SECUNIA 55108
SECUNIA 55139
SECUNIA 55322
SECUNIA 55351
SECUNIA 55350
SECUNIA 53623