Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719502 - GLSA 202004-10 lists unaffected 1.0.2 and 1.1.0 ebuild(s) as vulnerable
Summary: GLSA 202004-10 lists unaffected 1.0.2 and 1.1.0 ebuild(s) as vulnerable
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-26 08:19 UTC by Paulo M
Modified: 2021-05-26 11:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Fix affected OpenSSL versions for GLSA 202004-10 (glsa-202004-10-openssl_versions_fix.patch,1.32 KB, text/plain)
2020-06-07 19:02 UTC, Hank Leininger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paulo M 2020-04-26 08:19:05 UTC
GLSA-202004-10 marks all openssl versions under 1.1.1g as vulnerable. However, 1.0.2u fixed CVE-2019-1551 [1] and 1.0.2* and 1.1.0* versions are not affected by CVE-2020-1967 [2]

[1] https://www.openssl.org/news/openssl-1.0.2-notes.html
[2] https://www.openssl.org/news/secadv/20200421.txt

Reproducible: Always
Comment 1 cmwatts 2020-04-28 01:06:55 UTC
Same status here. GLSA-202004-10 has caused Nessus to build plugin # 135946, which incorrectly marks anything prior to 1.1.1g as vulnerable. Specifically 1.0.2u is the one I'm having trouble with.
Comment 2 Hank Leininger 2020-06-07 19:02:16 UTC
Created attachment 643856 [details]
Fix affected OpenSSL versions for GLSA 202004-10

Same issue here. 1.0.2u is not affected by either of the CVEs in this GLSA.

I think the attached patch to glsa-202004-10.xml is the right way to fix it, based on how other GLSAs handle multiple slots with different affected versions.

Unfortunately I do not know the right way to submit PRs for the glsa.git repo, as it is not mirrored to github like the main portage tree is.
Comment 3 Thomas Deutschmann gentoo-dev Security 2021-05-26 11:34:47 UTC
Closing as CANTFIX: OpenSSL in Gentoo never used slots and subslot format was too specific which makes it impossible for us to proper target affected versions.