Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554172 (CVE-2015-1793) - <dev-libs/openssl-{1.0.1p,1.0.2d}: Alternate chains certificate forgery (CVE-2015-1793)
Summary: <dev-libs/openssl-{1.0.1p,1.0.2d}: Alternate chains certificate forgery (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2015-1793
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
: 554326 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-07-07 20:07 UTC by Tobias Heinlein (RETIRED)
Modified: 2016-02-25 08:15 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2015-07-07 20:07:42 UTC
Details on request.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2015-07-07 20:30:19 UTC
Lars will prepare patched ebuilds, though we suspect that the official releases will look a bit different.

Ago and jer, will you be available on Thursday for rapid stabilization?
Comment 2 Agostino Sarubbo gentoo-dev 2015-07-07 20:47:31 UTC
(In reply to Tobias Heinlein from comment #1)
> Lars will prepare patched ebuilds, though we suspect that the official
> releases will look a bit different.
I read about his machine broken.
 
> Ago and jer, will you be available on Thursday for rapid stabilization?
Yes, I am
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-07-09 10:45:00 UTC
(In reply to Agostino Sarubbo from comment #2)
> (In reply to Tobias Heinlein from comment #1)
> > Lars will prepare patched ebuilds, though we suspect that the official
> > releases will look a bit different.
> I read about his machine broken.

My dev machine broke but I've set up my notebook as replacement until I got time to fix my dev machine. So I gonna do the bump.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-09 12:59:16 UTC
Now public via https://www.openssl.org/news/secadv_20150709.txt
Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-07-09 13:10:07 UTC
*** Bug 554326 has been marked as a duplicate of this bug. ***
Comment 7 SpanKY gentoo-dev 2015-07-09 14:09:55 UTC
herds really should be cc-ed on these bugs too
Comment 8 Agostino Sarubbo gentoo-dev 2015-07-09 14:19:22 UTC
Arches, please test and mark stable:
=dev-libs/openssl-1.0.1p
=dev-libs/openssl-1.0.2d
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 9 Agostino Sarubbo gentoo-dev 2015-07-09 14:39:42 UTC
(In reply to Agostino Sarubbo from comment #8)
> Arches, please test and mark stable:
> =dev-libs/openssl-1.0.1p
> =dev-libs/openssl-1.0.2d
> Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc
> x86"

My mistake, 1.0.2 series is not stable so is enough 1.0.1p


Arches, please test and mark stable:
=dev-libs/openssl-1.0.1p
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 10 Agostino Sarubbo gentoo-dev 2015-07-09 15:04:16 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-07-09 15:04:31 UTC
x86 stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-09 18:12:53 UTC
arm stable
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-10 06:55:18 UTC
Stable for PPC64.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-10 07:14:14 UTC
Stable for HPPA.
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-10 08:44:30 UTC
GLSA draft (e46c5ae2e) is ready for release once stabilization is done
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-10 11:18:50 UTC
Stable on alpha.
Comment 17 Agostino Sarubbo gentoo-dev 2015-07-10 12:38:25 UTC
ia64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2015-07-10 12:38:43 UTC
ppc stable
Comment 19 Agostino Sarubbo gentoo-dev 2015-07-10 13:01:36 UTC
sparc stable
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2015-07-10 13:08:15 UTC
This issue was resolved and addressed in
 GLSA 201507-15 at https://security.gentoo.org/glsa/201507-15
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 14:20:10 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 22 Yury German Gentoo Infrastructure gentoo-dev 2015-09-08 05:48:35 UTC
Maintainers, can we please drop the 1.0.2 prior to <1.0.2d
Comment 23 Yury German Gentoo Infrastructure gentoo-dev 2015-10-10 02:36:39 UTC
Please drop <1.0.2d (in 1.0.2x). If not cleaned up or appropriate reason given it will be cleaned up in 30 days by security.
Comment 24 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 08:15:20 UTC
Maintainer(s), Thank you for your work.