724512 – <dev-libs/libressl-3.1.2: Denial of service if server sends empty cert list

Bug 724512 - <dev-libs/libressl-3.1.2: Denial of service if server sends empty cert list

Summary: <dev-libs/libressl-3.1.2: Denial of service if server sends empty cert list

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://ftp.openbsd.org/pub/OpenBSD/L...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2020-05-21 22:09 UTC by Sam James
Modified:	2020-07-27 20:33 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-05-21 22:09:24 UTC

Description:
"A TLS client with peer verification disabled may crash when contacting a server that sends an empty certificate list."

Patch: https://ftp.openbsd.org/pub/OpenBSD/patches/6.7/common/004_libssl.patch.sig

Fixed in 3.1.2.

Comment 1 Larry the Git Cow gentoo-dev

2020-07-27 20:33:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=112dfed4131cb2e0256d5a37647467b88ec46208

commit 112dfed4131cb2e0256d5a37647467b88ec46208
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-07-27 20:30:27 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-07-27 20:30:27 +0000

    dev-libs/libressl: drop vulnerable
    
    * TLS 1.3 was not introduced in older versions or was not default
      enabled yet
    
    Bug: https://bugs.gentoo.org/724512
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-libs/libressl/Manifest              |  1 -
 dev-libs/libressl/libressl-3.1.1.ebuild | 63 ---------------------------------
 2 files changed, 64 deletions(-)