Name | CVE-2019-1559 |
Description | If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-1701-1, DSA-4400-1, ELA-88-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
openssl (PTS) | jessie, jessie (lts) | 1.0.1t-1+deb8u21 | fixed |
stretch (security) | 1.1.0l-1~deb9u6 | fixed | |
stretch (lts), stretch | 1.1.0l-1~deb9u9 | fixed | |
buster (security), buster, buster (lts) | 1.1.1n-0+deb10u6 | fixed | |
bullseye | 1.1.1w-0+deb11u1 | fixed | |
bullseye (security) | 1.1.1w-0+deb11u2 | fixed | |
bookworm | 3.0.15-1~deb12u1 | fixed | |
bookworm (security) | 3.0.14-1~deb12u2 | fixed | |
sid, trixie | 3.3.2-2 | fixed | |
openssl1.0 (PTS) | stretch (security) | 1.0.2u-1~deb9u7 | fixed |
stretch (lts), stretch | 1.0.2u-1~deb9u9 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
openssl | source | wheezy | 1.0.1t-1+deb7u8 | ELA-88-1 | ||
openssl | source | jessie | 1.0.1t-1+deb8u11 | DLA-1701-1 | ||
openssl | source | (unstable) | 1.1.0b-2 | |||
openssl1.0 | source | stretch | 1.0.2r-1~deb9u1 | DSA-4400-1 | ||
openssl1.0 | source | (unstable) | (unfixed) |
OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=48c8bcf5bca0ce7751f49599381e143de1b61786
OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=5741d5bb74797e4532acc9f42e54c44a2726c179 (only hardening)
1.1.0 is not impacted by CVE-2019-1559. The CVE is a result of applications
calling SSL_shutdown after a fatal alert has occurred. 1.1.0 is not vulnerable
to this issue, marking first 1.1 upload of src:openssl as fixed
https://www.openssl.org/news/secadv/20190226.txt