This issue was previously communicated to you via NISCC as "parasitic public keys" but without a patch. Bodo and Steven have worked on a patch, but it needs vendor testing. Patch is attached and under embargo. Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL a DoS was discovered. Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. CVE-2006-2940 Now to correct this we put in place various limits, similar to what other crypto libraries (such as NSS) do. This patch is against 0.9.8. Bodo said "Note that the ECC-related changes can be omitted for 0.9.7, since the 0.9.7 branch contains a partial ECC library, but does not integrate it into TLS and X.509!" Please follow up on any testing to openssl-team as time is tight to get this out by the embargo date, 20060928. We'll come back next week with the final set of patches for all the 20060928 OpenSSL issues.
Created attachment 97750 [details, diff] openssl-Bodo-CVE-2006-2940.patch
Vapier if you have time please attach updated ebuilds for testing. Note that we now have two OpenSSL issues for 200609-28 (the other is bug #145510)
Created attachment 97994 [details, diff] openssl-CVE-2006-2937.patch
Created attachment 97995 [details, diff] openssl-CVE-2006-3738.patch
Created attachment 97996 [details, diff] openssl-CVE-2006-4343.patch
Now attached all patches scheduled for release the 28th.
updating status whiteboard handled in bug #145510
bug 145510 fixed, with GLSA 200610-11