ALAS-2013-171

It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169)

A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. (CVE-2013-0166)

It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. (CVE-2012-4929)

Note: This update disables zlib compression, which was previously enabled in OpenSSL by default. Applications using OpenSSL now need to explicitly enable zlib compression to use it.

i686:
    openssl-devel-1.0.0k-1.48.amzn1.i686
    openssl-static-1.0.0k-1.48.amzn1.i686
    openssl-1.0.0k-1.48.amzn1.i686
    openssl-debuginfo-1.0.0k-1.48.amzn1.i686
    openssl-perl-1.0.0k-1.48.amzn1.i686

src:
    openssl-1.0.0k-1.48.amzn1.src

x86_64:
    openssl-debuginfo-1.0.0k-1.48.amzn1.x86_64
    openssl-1.0.0k-1.48.amzn1.x86_64
    openssl-devel-1.0.0k-1.48.amzn1.x86_64
    openssl-perl-1.0.0k-1.48.amzn1.x86_64
    openssl-static-1.0.0k-1.48.amzn1.x86_64