CVE-2013-4353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4353): The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
Stable for HPPA.
Arches, please test and mark stable: =dev-libs/openssl-1.0.1f Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
amd64 stable
arm stable
alpha stable
ppc stable
x86 stable
1.0.1f doesn't compile on alpha. I've reverted the stabilization and added a blocking bug.
Guess we're going straight to stable.
failed to compile for me. AMD64 hardened. My guess is because I haven't compiled the kernel listed in /usr/src/linux http://bpaste.net/show/172185/
ignore me... migrate-pax -m... Seems I need to update this system's kernel...
ia64 stable
ppc64 stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA Request Filed Maintainer(s), please drop the vulnerable version(s).
+ 21 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -openssl-1.0.1e.ebuild, + -openssl-1.0.1e-r1.ebuild, -openssl-1.0.1e-r2.ebuild, + -openssl-1.0.1e-r3.ebuild, -files/openssl-1.0.1e-bad-mac-aes-ni.patch, + -files/openssl-1.0.1e-perl-5.18.patch, + -files/openssl-1.0.1e-rdrand-explicit.patch, + -files/openssl-1.0.1e-tls-ver-crash.patch: + Removed vulnerable versions (bug #497838). +
Cleanup done by Polynomial-C
This issue was resolved and addressed in GLSA 201402-25 at http://security.gentoo.org/glsa/glsa-201402-25.xml by GLSA coordinator Chris Reffett (creffett).