Rating as B as CMS is disabled by default.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
The Cryptographic Message Syntax (CMS) implementation in
crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a
does not properly handle structures that contain OriginatorInfo,
which allows context-dependent attackers to modify invalid memory
locations or conduct double-free attacks, and possibly execute
arbitrary code, via unspecified vectors.
RSA verification recovery in the EVP_PKEY_verify_recover function in
OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other
applications, returns uninitialized memory upon failure, which might
allow context-dependent attackers to bypass intended key requirements
or obtain sensitive information via unspecified vectors. NOTE: some
of these details are obtained from third party information.
Marked ppc/ppc64 stable.
CVE-2010-0742: CMS bisabled by default
CVE-2010-1633: only present in 1.x (we only have it masked)
-> Rerating C
(In reply to comment #8)
> CVE-2010-0742: CMS bisabled by default
> CVE-2010-1633: only present in 1.x (we only have it masked)
> -> Rerating C
That's why I rated it as B, otherwise it would have been A.
base-system: It appears that our 0.x ebuilds do not allow to build with CMS. Please confirm this.
sounds about right. ive never added a USE flag for it, so our default should match the upstream default.
amd64 stable, all arches done.
GLSA with bug 303739 and bug 308011.
This issue was resolved and addressed in
201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).