Summary: | <dev-libs/openssl-{1.0.0l,1.0.1g}: ECDSA Nonces Recovery Weakness (CVE-2014-0076) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, bircoph, mgorny |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/57091/ | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-21 16:44:50 UTC
GLSA together with bug 507074. 1.0.0 branch is affected too, currently masked This issue was resolved and addressed in GLSA 201404-07 at http://security.gentoo.org/glsa/glsa-201404-07.xml by GLSA coordinator Mikle Kolyada (Zlogene). Severity is just normal for the most severe openssl bug in history? A3 satisfies GLSA policy requirement, but maybe the policy should be revised itself? (In reply to Andrew Savchenko from comment #4) > Severity is just normal for the most severe openssl bug in history? > A3 satisfies GLSA policy requirement, but maybe the policy should be revised > itself? Er, the 'most severe openssl bug in history' is the other bug linked in the advisory, not this one. (Even if it was the right one, this has nothing to do with the actual issue, so it being on-topic for the bug is debatable.) At any rate, the issue impact ratings depend on the issue itself, not any other chained events that can be triggered by it, and certainly not media hype. As such, the rating and policy are fine. |