[arch-security] OpenSSL: CVE-2014-0198
Hey all, This affects OpenSSL 1.x through 1.0.1g - The function do_ssl3_write is broken, when used with SSL_MODE_RELEASE_BUFFERS. According to the RedHat bug tracker, this is done at least by ruby and nodejs: https://bugzilla.redhat.com/show_bug.cgi?id=1093837#c1 Nist: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198 Debian Security Tracker: https://security-tracker.debian.org/tracker/CVE-2014-0198 Fix: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b107586
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To all, I already reported this. Here was my response from one of the developers: Regards, Mark
Am 03.05.2014 20:32, schrieb Mark Lee:
To All,
Will Arch patch their version of OpenSSL?
Hi,
my policy with openssl is to only follow upstream releases if possible. If we really need to apply patches they should already be committed into the upstream git repo.
Greetings,
Pierre
-- Pierre Schmitz, https://pierre-schmitz.com _______________________________________________ arch-security mailing list arch-security@archlinux.org https://mailman.archlinux.org/mailman/listinfo/arch-security
On 05/18/2014 11:32 AM, ushi wrote:
Hey all,
This affects OpenSSL 1.x through 1.0.1g - The function do_ssl3_write is broken, when used with SSL_MODE_RELEASE_BUFFERS.
According to the RedHat bug tracker, this is done at least by ruby and nodejs:
https://bugzilla.redhat.com/show_bug.cgi?id=1093837#c1
Nist:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198
Debian Security Tracker:
https://security-tracker.debian.org/tracker/CVE-2014-0198
Fix:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b107586
_______________________________________________
arch-security mailing list arch-security@archlinux.org https://mailman.archlinux.org/mailman/listinfo/arch-security
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlN44AEACgkQZ/Z80n6+J/bglQD+NBqiobR1AARw+Ma01hFixlaO jHgH7itn24fGRojGqN4A/RclYBgqbP4KTWKGrQSTZFNGdR9oqG5fprguv3h1rPx2 =51pJ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 18.05.2014 18:29, schrieb Mark Lee:
To all,
I already reported this. Here was my response from one of the developers:
Regards, Mark
Am 03.05.2014 20:32, schrieb Mark Lee:
To All,
Will Arch patch their version of OpenSSL?
Hi,
my policy with openssl is to only follow upstream releases if possible. If we really need to apply patches they should already be committed into the upstream git repo.
Greetings,
Pierre
-- Pierre Schmitz, https://pierre-schmitz.com _______________________________________________ arch-security mailing list arch-security@archlinux.org https://mailman.archlinux.org/mailman/listinfo/arch-security
Well, the commit is there: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b107586 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJTeO+hAAoJEAAoDO4PlX3gs5oQAJ7PTlgwxPzoyTgXDK7n5B2O ptnqTPxLG4rPfWdpTQuqZ66ovESu6ql1uZt2Nz3CLJZintuRUJwC1RONbgHpdOzE 2rjaMqq90k3PbpD1vf6kavWEHFxUZtqgywNovVPnv9jObtBo78n9Z4HFX1FqqAb8 T1XMQI5/gG1CS5uLI/AZIcysxmQJRANmn3L6wy8PxdA3BWuZErrsydZY7azWTExi oAxoRjzeVe0Iw5PAiHIq/1/nY/AK47+TJi78tTPAJMSpSf3W/3ZJMQR+uLHu2CDP Iwfzh7eApN/qnahoegDGC8a7wTZhakCevIpG3ulNXe+mAyEx4w1EtI/noai162gR AK9ZKyjZb6L5v2CV+3dURUnAu85yvaTaFC/AwG0ZEbcsE9FL7+NW8zZfgPTDwgnM hlrnp8/R/o1dDLb5zTgbEnKQY6AXAuX6Gz1EW5u5ftcGlLRD+8Apzb4rcoN0BFFp +SMBfZ5yCAXMI4kHspyZdLJZHE07waM36tze0Wbhh+vYAngAQHclOYuYiUQhEycl BvZqFGL5C6bO1lrNK619GF2n6Fwyin99TTO6AV44NIWiqsvRpwq2H19ETPXP+O2O nnzcFO1M5ceNkV5VdjT1dpckGJsA5cHRKVcq8chHEQhqNAq9wkfk23Aw3NPVTe0q zAOVZI4FizeRKTZBuBm7 =XzHf -----END PGP SIGNATURE-----
participants (2)
-
Mark Lee
-
ushi