Summary: | <dev-libs/openssl-0.9.8k: Denial of Service (CVE-2009-0590) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, fmccor |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openssl.org/news/secadv_20090325.txt | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-03-25 16:54:01 UTC
0.9.8k now in the tree Arches, please test and mark stable: =dev-libs/openssl-0.9.8k Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" amd64 stable note: repoman errors on all versions of this package: dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 129) dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 130) dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 134) dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 138) (In reply to comment #3) > amd64 stable > > note: repoman errors on all versions of this package: > dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug > (ebuild calls emake -j1 on line: 129) > dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug > (ebuild calls emake -j1 on line: 130) > dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug > (ebuild calls emake -j1 on line: 134) > dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug > (ebuild calls emake -j1 on line: 138) > I'll bite. Does that translate into: "Forcing 'emake -j1' because Upstream says parallel compilation fails" which is how I read it? Sparc stable. All tests run as they should. ppc and ppc64 done Stable for HPPA. CVE-2009-0590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0590): The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. CVE-2009-0591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0591): The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. CVE-2009-0789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0789): OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. x86 stable alpha/arm/ia64/m68k/s390/sh stable CVE-2009-0789 does not affect Gentoo. CVE-2009-0591 does also not affect us, as we give the user no way to enable CMS. GLSA 200904-08 |