CVE-2009-0129 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0129): libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.
Debian developed a patch for this that introduces a croak (aka exception) in the error case. However, this might be unexpected for applications using the perl library. I did not check whether upstream went with another fix.
dev-perl/crypt-dsa is Crypt-DSA and not Crypt-OpenSSL-DSA, which is not in the tree. The only time openssl is used in Crypt-DSA is the generate_params function in Crypt::DSA::KeyChain: <http://cpansearch.perl.org/src/BTROTT/Crypt-DSA-0.14/lib/Crypt/DSA/KeyChain.pm> Thanks
Sounds good then, closing INVALID.
