CVE-2009-3245 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3245): OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
base-system: please provide an updated ebuild.
0.9.8m is already in tree, as per bug #306925.
I'm going through all the bugs right now...adding another one.
CVE-2010-0433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0433): The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
openssl-0.9.8n hasnt been released yet
*** Bug 308807 has been marked as a duplicate of this bug. ***
rather marking dups, please stabilize openssl-0.9.8m
(In reply to comment #7) > rather marking dups, please stabilize openssl-0.9.8m > Agreed. I would like to know why the stabilization is a problem ?
(In reply to comment #7) > rather marking dups, please stabilize openssl-0.9.8m > Cilly, don't file multiple bugs for the same issue(s). The current m version does not have a fix for CVE-2010-0433. If base-system provides an updated m reversion, we can stable that. Patch is available at http://cvs.openssl.org/chngview?cn=19374
0.9.8n has been released today.
dev-libs/openssl-0.9.8n now in the tree
Thanks! Arches, please test and mark stable: =dev-libs/openssl-0.9.8n Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
(In reply to comment #11) > dev-libs/openssl-0.9.8n now in the tree Should GLSA be issued then? I found this report only by accident and the CVE is very serious.
(In reply to comment #14) > Should GLSA be issued then? I found this report only by accident and the CVE is > very serious. Of course, as soon as it has been stabilised on all arches. (And as soon as we have sufficient manpower to actually write the GLSA :)
Stable for HPPA.
Stable for PPC.
ppc64 done
alpha/arm/ia64/m68k/s390/sh/sparc stable
amd64 stable, all arches done.
CVE-2010-0740 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740): The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information.
Rerating.
GLSA request filed.
This issue was resolved and addressed in 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml by GLSA coordinator Tobias Heinlein (keytoaster).