The ASN1 parsing code of openssl is affected by a security vulnerability. Reading from the advisory, it should mostly affect CMS and not SSL/TLS.
Commit message: Version bump http://sources.gentoo.org/dev-libs/openssl/openssl-0.9.8v.ebuild?rev=1.1 http://sources.gentoo.org/dev-libs/openssl/openssl-1.0.0i.ebuild?rev=1.1 http://sources.gentoo.org/dev-libs/openssl/openssl-1.0.1a.ebuild?rev=1.1
Thanks, guys. Arches, please test and mark stable: =dev-libs/openssl-1.0.0i Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =dev-libs/openssl-0.9.8v Target keywords : "amd64 x86"
Stable for HPPA.
x86 stable
amd64 stable
alpha/arm/ia64/m68k/s390/sh/sparc stable
openssl says the fix for 0.9.8 is incomplete and they've released 0.9.8w to fix it (CVE-2012-2131). 1.0.0 and 1.0.1 unaffected. http://openssl.org/news/secadv_20120424.txt
Commit message: Version bump http://sources.gentoo.org/dev-libs/openssl/openssl-0.9.8w.ebuild?rev=1.1
CVE-2012-2110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2110): The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
CVE-2012-2131 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2131): Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.
Sorry for the bugspam here. Let's handle CVE-2012-2131 here as well. Arches, please test and mark stable: =dev-libs/openssl-0.9.8w Target keywords : "amd64 x86"
ppc stable
ppc64 done
Thanks, everyone. Already in GLSA request.
This issue was resolved and addressed in GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml by GLSA coordinator Chris Reffett (creffett).