Summary: | <dev-libs/libressl-2.5.4: lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | libressl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2017/04/27/11 | ||
Whiteboard: | ~4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2017-04-27 18:44:57 UTC
Fix is reverting commit ddd98f8ea741a122952185a36c1396c14c2fda74[1] as per [2], as we did in Alpine[3]. [1]: https://github.com/libressl-portable/openbsd/commit/ddd98f8ea741a122952185a36c1396c14c2fda74 [2]: https://github.com/libressl-portable/portable/issues/307#issuecomment-297200962 [3]: https://git.alpinelinux.org/cgit/aports/commit/?id=500f378f52a862e91c61de633df00197d4afd366 FYI, libressl released portable version 2.5.4 yesterday, which contains a fix for this CVE, as per the Github issue linked in comment 1. @ Maintainer(s): Please drop =dev-libs/libressl-2.5.3! (In reply to Thomas Deutschmann from comment #3) > @ Maintainer(s): Please drop =dev-libs/libressl-2.5.3! i've dropped 2.5.3 |