-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/02/2014 02:29 PM, Mark Lee wrote:
To all,
Not sure if we're affected, but see below for email details.
Regards, Mark
On 05/02/2014 09:30 AM, Marc Deslauriers wrote:
Hello,
A null pointer dereference bug was discovered in so_ssl3_write(). An attacker could possibly use this to cause OpenSSL to crash, resulting in a denial of service.
http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e3...
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig
Could a CVE please be assigned to this issue?
Thanks,
Marc.
I think getting this one a CVE is time critical. Mitre: sorry if this causes a duplicate, but I'm assigning a CVE now. Please use CVE-2014-0198 for this issue. Also cc'ing Theo so OpenBSD gets notified for sure. Speaking of which Theo: should we get you or an OpenBSD deputy (Bob Beck?) onto distros@?
-- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
To All, Will Arch patch their version of OpenSSL? Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlNlNjwACgkQZ/Z80n6+J/b9QAEAhy5dd3JC9tN6VhPHUFBLliMx y/CcEBAkLAG8kXUZ614A/0QMjlcf8D8UT0yCyMQfa12ihMxhg1u2SgGTNCb4IZvt =eUT+ -----END PGP SIGNATURE-----