507418 – (CVE-2014-2896, CVE-2014-2897, CVE-2014-2898, CVE-2014-2899, CVE-2014-2900) <net-libs/cyassl-2.9.4 : Multiple Vulnerabilities (CVE-2014-{2896,2897,2898,2899,2900})

Bug 507418 (CVE-2014-2896, CVE-2014-2897, CVE-2014-2898, CVE-2014-2899, CVE-2014-2900) - <net-libs/cyassl-2.9.4 : Multiple Vulnerabilities (CVE-2014-{2896,2897,2898,2899,2900})

Summary: <net-libs/cyassl-2.9.4 : Multiple Vulnerabilities (CVE-2014-{2896,2897,2898,2...

Status:	RESOLVED FIXED

Alias:	CVE-2014-2896, CVE-2014-2897, CVE-2014-2898, CVE-2014-2899, CVE-2014-2900

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/57743/
Whiteboard:	B2 [glsa cve]
Keywords:

Depends on:	495848
Blocks:
	Show dependency tree

Reported:	2014-04-11 15:37 UTC by Agostino Sarubbo
Modified:	2016-12-31 14:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-04-11 15:37:42 UTC

From ${URL} :

Description

Multiple vulnerabilities have been reported in CyaSSL, where multiple have an unknown impact and other one can be exploited to potentially compromise a vulnerable system.

1) An unspecified error exists, which can be exploited to cause memory corruption. No further information is currently available.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

2) A NULL pointer dereference error exists. No further information is currently available.

3) An out-of-bounds memory read error exists. No further information is currently available.

4) An unspecified error related to X.509 unknown certificate extensions exists. No further information is currently available.

The vulnerabilities are reported in versions prior to 2.9.4.


Solution:
Update to version 2.9.4.

Provided and/or discovered by:
The vendor credits:
1-3) Ivan Fratric, Google Security Team.
4) Suman Jana with security researchers at UT Austin and UC Davis.

Original Advisory:
http://www.wolfssl.com/yaSSL/Docs-cyassl-changelog.html
http://www.yassl.com/forums/topic539-cyassl-294-released.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2014-04-28 19:22:40 UTC

CVE-2014-2900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2900):
  wolfSSL CyaSSL before 2.9.4 does not properly validate X.509 certificates
  with unknown critical extensions, which allows man-in-the-middle attackers
  to spoof servers via crafted X.509 certificate.

CVE-2014-2899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2899):
  wolfSSL CyaSSL before 2.9.4 allows remote attackers to cause a denial of
  service (NULL pointer dereference) via (1) a request for the peer
  certificate when a certificate parsing failure occurs or (2) a
  client_key_exchange message when the ephemeral key is not found.

Comment 2 Anthony Basile gentoo-dev

2014-06-14 21:02:04 UTC

I'm in the process of tree cleaning this, bug #495848

Comment 3 Anthony Basile gentoo-dev

2014-07-15 10:52:01 UTC

Its off the tree.  This bug is no longer relevant and you can close it.

Comment 4 Mikle Kolyada (RETIRED) archtester

2014-07-15 10:54:22 UTC

(In reply to Anthony Basile from comment #3)
> Its off the tree.  This bug is no longer relevant and you can close it.

No. We should make removal glsa

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2016-12-31 14:53:01 UTC

This issue was resolved and addressed in
 GLSA 201612-53 at https://security.gentoo.org/glsa/201612-53
by GLSA coordinator Thomas Deutschmann (whissi).