CVE-2011-4108

Publication date 5 January 2012

Last updated 24 July 2024

Ubuntu priority

The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openssl	11.10 oneiric	Fixed 1.0.0e-2ubuntu4.2
	11.04 natty	Fixed 0.9.8o-5ubuntu1.2
	10.10 maverick	Fixed 0.9.8o-1ubuntu4.6
	10.04 LTS lucid	Fixed 0.9.8k-7ubuntu8.8
	8.04 LTS hardy	Fixed 0.9.8g-4ubuntu3.15
openssl098	11.10 oneiric	Fixed 0.9.8o-7ubuntu1.2
	11.04 natty	Not in release
	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1357-1
OpenSSL vulnerabilities
9 February 2012

Other references

http://www.openssl.org/news/secadv_20120104.txt
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
https://www.cve.org/CVERecord?id=CVE-2011-4108