See $URL.
Rating as B as CMS is disabled by default.
Arches, please test and mark stable: =dev-libs/openssl-0.9.8o Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
Stable for HPPA.
CC'ing maintainer..
CVE-2010-0742 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0742): The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. CVE-2010-1633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1633): RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information.
Marked ppc/ppc64 stable.
CVE-2010-0742: CMS bisabled by default CVE-2010-1633: only present in 1.x (we only have it masked) -> Rerating C
(In reply to comment #8) > CVE-2010-0742: CMS bisabled by default > CVE-2010-1633: only present in 1.x (we only have it masked) > > -> Rerating C > That's why I rated it as B, otherwise it would have been A.
base-system: It appears that our 0.x ebuilds do not allow to build with CMS. Please confirm this.
sounds about right. ive never added a USE flag for it, so our default should match the upstream default.
alpha/arm/ia64/m68k/s390/sh/sparc stable
amd64 stable, all arches done.
GLSA with bug 303739 and bug 308011.
This issue was resolved and addressed in 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml by GLSA coordinator Tobias Heinlein (keytoaster).