Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532040 - dev-libs/matrixssl: two vulnerabilities
Summary: dev-libs/matrixssl: two vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.matrixssl.org/news.html
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks: 515950 530810
  Show dependency tree
 
Reported: 2014-12-09 10:35 UTC by Agostino Sarubbo
Modified: 2020-09-10 20:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-09 10:35:30 UTC
From ${URL} :

MATRIXSSL 3.7.1
Releases
Security Fixes

X.509 and ASN.1 Parsing Improvements - A security audit revealed a handful of parsing issues related to boundary testing which could result in reading beyond a memory buffer. These have been fixed, and the getAsnLength() internal API also does a double check 
against the remaining buffer length in all cases.
Constant-Time Memory Compare - Calls to memcmp() have been replaced with a memcmpct() implementation to reduce the effectiveness of future timing based attacks.


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-03-19 06:39:25 UTC
15 months and this package has still not been bumped.  Additional security vulnerabilities have been released since the current tree (3.6.1) version.  Package will be PMASKED and last-rited.

# Aaron Bauman <bman@gentoo.org> (19 Mar 2016)
# Multiple unpatched security vulnerabilities
# per bug #523040. Masked for removal in 30 days.
dev-libs/matrixssl
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-04-26 08:32:57 UTC
package tree cleaned.