Use of a Broken or Risky Cryptographic Algorithm The advisory has been revoked - it doesn't affect any version of package openssl Open this link in a new tab

The Ubuntu security team deemed this advisory irrelevant for Ubuntu:19.04.

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
• https://seclists.org/bugtraq/2019/Oct/0
• https://seclists.org/bugtraq/2019/Oct/1
• https://seclists.org/bugtraq/2019/Sep/25
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
• https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_medium=RSS
• https://www.tenable.com/security/tns-2019-09
• https://www.debian.org/security/2019/dsa-4539
• https://www.debian.org/security/2019/dsa-4540
• https://security-tracker.debian.org/tracker/CVE-2019-1563
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
• https://security.gentoo.org/glsa/201911-04
• http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://security.netapp.com/advisory/ntap-20190919-0002/
• https://www.openssl.org/news/secadv/20190910.txt
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
• http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
• http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
• https://usn.ubuntu.com/4376-1/
• https://usn.ubuntu.com/4376-2/
• https://usn.ubuntu.com/4504-1/
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
• https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS