Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399365 (CVE-2012-0050) - <dev-libs/openssl-{0.9.8t,1.0.0g}: DTLS Server DoS (CVE-2012-0050)
Summary: <dev-libs/openssl-{0.9.8t,1.0.0g}: DTLS Server DoS (CVE-2012-0050)
Status: RESOLVED FIXED
Alias: CVE-2012-0050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL: http://www.openssl.org/news/secadv_20...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-19 10:23 UTC by Icebird2000
Modified: 2012-03-06 02:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Icebird2000 2012-01-19 10:23:36 UTC
DTLS DoS issue

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-01-19 10:36:30 UTC
This issue is a caused by a regression of the CVE-2011-4108 fix.

base-system, are the two versions in $summary good to go stable?
Comment 2 SpanKY gentoo-dev 2012-01-24 02:03:43 UTC
yes, they should be good to stabilize
Comment 3 Agostino Sarubbo gentoo-dev 2012-01-24 09:14:01 UTC
Arches, please test and mark stable:

=dev-libs/openssl-1.0.0g
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=dev-libs/openssl-0.9.8t
Target KEYWORDS : "amd64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-01-24 10:02:39 UTC
amd64 stable
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2012-01-24 13:04:38 UTC
x86 stable. Thanks
Comment 6 Jeroen Roovers gentoo-dev 2012-01-24 13:51:57 UTC
Stable for HPPA.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-01-28 18:29:35 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-02-01 14:20:22 UTC
ppc done
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:09:51 UTC
CVE-2012-0050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0050):
  OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which
  allows remote attackers to cause a denial of service via unspecified
  vectors.  NOTE: this vulnerability exists because of an incorrect fix for
  CVE-2011-4108.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-03-02 21:28:40 UTC
ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-03-02 22:31:54 UTC
Thanks, everyone. Already part of draft GLSA.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 02:15:22 UTC
This issue was resolved and addressed in
 GLSA 201203-12 at http://security.gentoo.org/glsa/glsa-201203-12.xml
by GLSA coordinator Sean Amoss (ackle).