| Summary: | <dev-libs/openssl-1.0.2i: DoS attack by filling up the queue for future messages | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | base-system |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1369504 | ||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 594500 | ||
| Bug Blocks: | |||
Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201612-16 at https://security.gentoo.org/glsa/201612-16 by GLSA coordinator Aaron Bauman (b-man). |
From ${URL} : It was found that current mechanism of queuing the future messages, i.e. messages having greater sequence numbers that are to be processed later, is prone to DoS attack by memory exhaustion, when attacker can fill up the queue with lots of large messages that are never going to be used. Only up to 10 messages in the future can be buffered and queue gets cleared when the connection is closed, thus attacker can exploit this only with opening many simultaneous connections. Upstream patch: https://github.com/openssl/openssl/commit/00a4c1421407b6ac796688871b0a49a179c694d9 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.