Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 205968 - dev-db/mysql dev-db/mysql-community yaSSL Multiple vulnerabilities (CVE-2008-{0226,0227})
Summary: dev-db/mysql dev-db/mysql-community yaSSL Multiple vulnerabilities (CVE-2008-...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://aluigi.altervista.org/adv/yass...
Whiteboard: A3? [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-15 15:17 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-15 15:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 15:17:18 UTC 
CVE-2008-0227 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0227):
  yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allows
  remote attackers to cause a denial of service (crash) via a Hello packet
  containing a large size value, which triggers a buffer over-read in the
  HASHwithTransform::Update function in hash.cpp.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 15:27:13 UTC 
CVE-2008-0226:
  Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL
  and possibly other products, allow remote attackers to execute arbitrary
  code via (1) the ProcessOldClientHello function in handshake.cpp or
  (2) "input_buffer& operator>>" in yassl_imp.cpp.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 15:30:28 UTC 
mysql herd, are there circumstances under which mysql builds with yassl (and not openssl) support?
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-01-15 15:37:14 UTC 
No, we exclusively use openssl and not yaSSL.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 15:49:18 UTC 
That's what I like to hear :-)

INVALID then!