From $URL :
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported. This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext
from a TLS/DTLS connection, when CBC-mode encryption is used.
This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations). As such, it affects all TLS and DTLS
implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures
to deal with previous padding oracle attacks. All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.
The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of
the last byte in any block of plaintext).
To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the
plaintext stream across the sessions). For DTLS, a successful attack can be carried out in a single session. The attacker must also be located close to the machine being
Further details are noted in the paper.
Current status of fixes in various implementations:
* OpenSSL has a patch in development
* NSS has a patch in development
* GnuTLS is fixed in versions 2.12.23, 3.0.28, and 3.1.7
* PolarSSL is fixed in version 1.2.5
* BouncyCastle has a patch that will be included in the forthcoming 1.48 version
The TLS implementation in the Bouncy Castle Java library before 1.48 and C#
library before 1.8 does not properly consider timing side-channel attacks on
a noncompliant MAC check operation during the processing of malformed CBC
padding, which allows remote attackers to conduct distinguishing attacks and
plaintext-recovery attacks via statistical analysis of timing data for
crafted packets, a related issue to CVE-2013-0169.
@maintainers: Please bump version or lastrite the package if it is no longer maintained.
This package has been masked since 03 May 2014 as part of a general dev-java/jruby mask.
@maintainers, please bump. One rdep dev-ruby/jruby-openssl. dev-ruby/jruby-openssl has no rdeps so both are a candidate for tree cleaning.
dev-ruby/jruby-openssl may as well go at this point or at least get masked as jruby itself is masked and no one has time to work on it right now.
Packages already masked. Sending last rites to lists.
# Tom Wijsman <TomWij@gentoo.org> (03 May 2014)
# Needs to be further tested and revised by both Java and Ruby herds.