Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 592074 (CVE-2016-2179) - <dev-libs/openssl-1.0.2i: DoS attack by filling up the queue for future messages
Summary: <dev-libs/openssl-1.0.2i: DoS attack by filling up the queue for future messages
Status: RESOLVED FIXED
Alias: CVE-2016-2179
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2016-2180, CVE-2016-2183, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308
Blocks:
  Show dependency tree
 
Reported: 2016-08-25 09:20 UTC by Agostino Sarubbo
Modified: 2016-12-07 10:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-08-25 09:20:29 UTC
From ${URL} :

It was found that current mechanism of queuing the future messages, i.e. messages having greater sequence numbers that are to be processed later, is prone to DoS attack by memory 
exhaustion, when attacker can fill up the queue with lots of large messages that are never going to be used. Only up to 10 messages in the future can be buffered and queue gets 
cleared when the connection is closed, thus attacker can exploit this only with opening many simultaneous connections.

Upstream patch:

https://github.com/openssl/openssl/commit/00a4c1421407b6ac796688871b0a49a179c694d9


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2016-09-23 01:42:34 UTC
Added to an existing GLSA Request.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:27:56 UTC
This issue was resolved and addressed in
 GLSA 201612-16 at https://security.gentoo.org/glsa/201612-16
by GLSA coordinator Aaron Bauman (b-man).