OpenSSL has announced fixes for the following six security flaws for versions 1.0.0f and 0.9.8s. The first is the notorious “extension of the Vaudenay padding oracle attack on CBC mode encryption”.
- DTLS Plaintext Recovery Attack (CVE-2011-4108)
- Double-free in Policy Checks (CVE-2011-4109)
- Uninitialized SSL 3.0 Padding (CVE-2011-4576)
- Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
- SGC Restart DoS Attack (CVE-2011-4619)
- Invalid GOST parameters DoS Attack (CVE-2012-0027)
The last CVE has an “original release date of 01/06/2012”, yet the OpenSSL security advisory was released “04 Jan 2012”.