GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Oct 07, 2007 11:26 pm Post subject: [ GLSA 200710-06 ] OpenSSL: Multiple vulnerabilities |
 |
|
Gentoo Linux Security Advisory
Title: OpenSSL: Multiple vulnerabilities (GLSA 200710-06)
Severity: high
Exploitable: local, remote
Date: October 07, 2007
Bug(s): #188799, #194039
ID: 200710-06
Synopsis
A buffer underflow vulnerability and an information disclosure
vulnerability have been discovered in OpenSSL.
Background
OpenSSL is an implementation of the Secure Socket Layer and Transport
Layer Security protocols.
Affected Packages
Package: dev-libs/openssl
Vulnerable: < 0.9.8e-r3
Unaffected: >= 0.9.8e-r3
Architectures: All supported architectures
Description
Moritz Jodeit reported an off-by-one error in the
SSL_get_shared_ciphers() function, resulting from an incomplete fix of
CVE-2006-3738. A flaw has also been reported in the
BN_from_montgomery() function in crypto/bn/bn_mont.c when performing
Montgomery multiplication.
Impact
A remote attacker sending a specially crafted packet to an application
relying on OpenSSL could possibly execute arbitrary code with the
privileges of the user running the application. A local attacker could
perform a side channel attack to retrieve the RSA private keys.
Workaround
There is no known workaround at this time.
Resolution
All OpenSSL users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8e-r3" |
References
CVE-2006-3738
CVE-2007-3108
CVE-2007-5135
Last edited by GLSA on Fri Feb 15, 2013 4:25 am; edited 2 times in total |
|
News & Announcements
