DEBIAN-CVE-2019-1563
- Source
- https://security-tracker.debian.org/tracker/CVE-2019-1563
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-1563.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2019-1563
- Upstream
- Published
- 2019-09-10T17:15:11Z
- Modified
- 2025-09-19T06:21:31Z
- Summary
- [none]
- Details
-
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMSdecrypt or PKCS7decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
- References
Affected packages
Debian:11 / openssl
Package
- Name
- openssl
- Purl
- pkg:deb/debian/openssl?arch=source
Debian:12 / openssl
Package
- Name
- openssl
- Purl
- pkg:deb/debian/openssl?arch=source
Debian:13 / openssl
Package
- Name
- openssl
- Purl
- pkg:deb/debian/openssl?arch=source
Debian:14 / openssl
Package
- Name
- openssl
- Purl
- pkg:deb/debian/openssl?arch=source