openssl-1.0.2l and libressl-2.6.2 are susceptible to an out-of-bounds read and crashes. https://marc.info/?l=openbsd-tech&m=150906184009035&w=2 So observed on Tumbleweed, and therefore very likely affects 42.2, 42.3 and SLE as well. openssl-1.1.0f has been found to not have the problem anymore. References: https://marc.info/?l=openbsd-tech&m=150906184009035&w=2 https://marc.info/?l=openbsd-tech&m=150906184009035&q=raw https://github.com/openssl/openssl/commit/6493e4801e9edbe1ad1e256d4ce9cd55c8aa2242#diff-bf594638aca419f471dd119cd22da58f @ Maintainer(s): Please confirm that the package is vulnerable to this bug, and advise on how you would like to proceed.
updated on 08/21/2018 via commit fd5cf8ed re: Keywords for dev-libs/openssl: | a | | | m | | | d x | | | 6 8 | | | 4 6 | u | | a a a p s | | | n | | l m r i p h m s p f m f | e u s | r | p d a m a p c x p 6 3 a b i b | a s l | e | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o -----------------+---------------------------------+-----------+------- 0.9.8z_p8 | ~ + ~ o ~ ~ ~ + ~ ~ ~ ~ ~ o ~ ~ | 5 # 0.9.8 | gentoo 0.9.8z_p8-r1 | ~ + ~ o ~ ~ ~ + ~ ~ ~ ~ ~ o ~ ~ | 6 o | gentoo -----------------+---------------------------------+-----------+------- 1.0.2o-r3 | + + + + + + + + + + + + + ~ ~ ~ | 6 o 0 | gentoo 1.0.2o-r6 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | 6 # | gentoo 1.0.2p | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | 6 o | gentoo -----------------+---------------------------------+-----------+------- [M]1.1.0i | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | 6 o 0/1.1 | gentoo [M]1.1.1_pre8 | o o o o o o o o o o o o o o o o | 6 # | gentoo [M]1.1.1_pre9 | o o o o o o o o o o o o o o o o | 6 o | gentoo Keywords for dev-libs/libressl: | a | | | m | | | d x | | | 6 8 | | | 4 6 | u | | a a a p s | | | n | | l m r i p h m s p f m f | e u s | r | p d a m a p c x p 6 3 a b i b | a s l | e | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o ---------+---------------------------------+----------+------- 2.6.4 | ~ + + ~ ~ + + + ~ o + o + o ~ o | 6 o 0/44 | gentoo 2.6.5 | ~ + + ~ ~ ~ ~ + ~ o + o + o ~ o | 6 o | gentoo ---------+---------------------------------+----------+------- [M]2.7.3 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o o o ~ o ~ o | 6 # 0/45 | gentoo [M]2.7.4 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o o o ~ o ~ o | 6 # | gentoo [M]2.8.0 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o o o ~ o ~ o | 6 o | gentoo dev-libs/openssl: bump to v1.1.1 pre release 9 (beta) - openssl-1.0.2a-x32-asm.patch dropped which shouldn't be necessary anymore according to upstream [Link 1]. Link 1: https://rt.openssl.org/Ticket/Display.html?id=3759#txn-62605 Bug: https://bugs.gentoo.org/542618 Package-Manager: Portage-2.3.48, Repoman-2.3.10 Gentoo Security Padawan (domhnall)
*** This bug has been marked as a duplicate of bug 581234 ***
