GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Tue Oct 30, 2007 9:26 pm Post subject: [ GLSA 200710-30 ] OpenSSL: Remote execution of arbitrary co |
 |
|
Gentoo Linux Security Advisory
Title: OpenSSL: Remote execution of arbitrary code (GLSA 200710-30)
Severity: high
Exploitable: remote
Date: October 27, 2007
Updated: October 30, 2007
Bug(s): #195634
ID: 200710-30
Synopsis
OpenSSL contains a vulnerability allowing execution of arbitrary code or a Denial of Service.
Background
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library.
Affected Packages
Package: dev-libs/openssl
Vulnerable: < 0.9.8f
Unaffected: >= 0.9.8f
Architectures: All supported architectures
Description
Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is caused due to an unspecified off-by-one error within the DTLS implementation.
Impact
A remote attacker could exploit this issue to execute arbitrary code or cause a Denial of Service. Only clients and servers explicitly using DTLS are affected, systems using SSL and TLS are not.
Workaround
There is no known workaround at this time.
Resolution
All OpenSSL users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8f" |
References
CVE-2007-4995
Last edited by GLSA on Wed Oct 31, 2007 4:19 am; edited 1 time in total |
|
News & Announcements
