Summary: | <dev-libs/openssl-1.0.0e ECDH Ciphersuites DoS (CVE-2011-{3207,3210}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/45781/ | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2011-09-06 18:41:11 UTC
1.0.0e now in the tree Arch teams, please, stabilize openssl-1.0.0e. TIA. tested many rdeps amd64 ok + 07 Sep 2011; Tony Vroon <chainsaw@gentoo.org> openssl-1.0.0e.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in + security bug #382069. Archtested on x86: Everything fine (In reply to comment #5) > Archtested on x86: Everything fine Looks ok also for me on x86 +1 Stable for HPPA. arm/x86 stable, thnks JD and Agostino ppc/ppc64 stable alpha/ia64/m68k/s390/sh/sparc stable Thanks, everyone. Added to existing GLSA request. CVE-2011-3210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3210): The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages, which allows remote attackers to cause a denial of service (application crash) via out-of-order messages that violate the TLS protocol. CVE-2011-3207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3207): crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past. This issue was resolved and addressed in 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml by GLSA coordinator Tobias Heinlein (keytoaster). This issue was resolved and addressed in 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml by GLSA coordinator Tobias Heinlein (keytoaster). |