Summary: | <net-libs/cyassl-2.9.4 : Multiple Vulnerabilities (CVE-2014-{2896,2897,2898,2899,2900}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | blueness |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/57743/ | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 495848 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-04-11 15:37:42 UTC
CVE-2014-2900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2900): wolfSSL CyaSSL before 2.9.4 does not properly validate X.509 certificates with unknown critical extensions, which allows man-in-the-middle attackers to spoof servers via crafted X.509 certificate. CVE-2014-2899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2899): wolfSSL CyaSSL before 2.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via (1) a request for the peer certificate when a certificate parsing failure occurs or (2) a client_key_exchange message when the ephemeral key is not found. I'm in the process of tree cleaning this, bug #495848 Its off the tree. This bug is no longer relevant and you can close it. (In reply to Anthony Basile from comment #3) > Its off the tree. This bug is no longer relevant and you can close it. No. We should make removal glsa This issue was resolved and addressed in GLSA 201612-53 at https://security.gentoo.org/glsa/201612-53 by GLSA coordinator Thomas Deutschmann (whissi). |