Arch Linux Security Advisory ASA-201604-9 ========================================= Severity: Medium Date : 2016-04-17 CVE-ID : CVE-2016-4008 Package : libtasn1 Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libtasn1 before version 4.8-1 is vulnerable to denial of service. Resolution ========== Upgrade to 4.8-1. # pacman -Syu "libtasn1>=4.8-1" The problem has been fixed upstream in version 4.8. Workaround ========== None. Description =========== The libtasn1 library, in its 4.7 version, can loop for a long time or indefinitely when it is used to parse DER representations of X.509 certificates, leading to a denial of service. Some of these loops may in addition increase heap or stack usage, leading to more issues. Impact ====== A remote attacker can cause an application using a vulnerable version of libtasn1 to loop indefinitely by sending a crafted X.509 certificate, causing a denial of service. References ========== http://article.gmane.org/gmane.comp.security.oss.general/19286 https://access.redhat.com/security/cve/CVE-2016-4008 https://bugzilla.redhat.com/show_bug.cgi?id=1325965