[arch-security] OpenSSL NULL pointer dereference in do_ssl3_write
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To all, Not sure if we're affected, but see below for email details. Regards, Mark
On 05/02/2014 09:30 AM, Marc Deslauriers wrote:
Hello,
A null pointer dereference bug was discovered in so_ssl3_write(). An attacker could possibly use this to cause OpenSSL to crash, resulting in a denial of service.
http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e3...
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig
Could a CVE please be assigned to this issue?
Thanks,
Marc.
I think getting this one a CVE is time critical. Mitre: sorry if this causes a duplicate, but I'm assigning a CVE now. Please use CVE-2014-0198 for this issue. Also cc'ing Theo so OpenBSD gets notified for sure. Speaking of which Theo: should we get you or an OpenBSD deputy (Bob Beck?) onto distros@?
-- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlNj4/kACgkQZ/Z80n6+J/ZsowD+K/0ctwnVZwrFY37G8aUaSBXf th2NoIQeFiR/fp1ean0A/1Ik5c/tCHMBR6dv+uJD+F8wSgGAoCAh/einDFlgfZjS =QeNS -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/02/2014 02:29 PM, Mark Lee wrote:
To all,
Not sure if we're affected, but see below for email details.
Regards, Mark
On 05/02/2014 09:30 AM, Marc Deslauriers wrote:
Hello,
A null pointer dereference bug was discovered in so_ssl3_write(). An attacker could possibly use this to cause OpenSSL to crash, resulting in a denial of service.
http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e3...
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig
Could a CVE please be assigned to this issue?
Thanks,
Marc.
I think getting this one a CVE is time critical. Mitre: sorry if this causes a duplicate, but I'm assigning a CVE now. Please use CVE-2014-0198 for this issue. Also cc'ing Theo so OpenBSD gets notified for sure. Speaking of which Theo: should we get you or an OpenBSD deputy (Bob Beck?) onto distros@?
-- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
To All, Will Arch patch their version of OpenSSL? Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlNlNjwACgkQZ/Z80n6+J/b9QAEAhy5dd3JC9tN6VhPHUFBLliMx y/CcEBAkLAG8kXUZ614A/0QMjlcf8D8UT0yCyMQfa12ihMxhg1u2SgGTNCb4IZvt =eUT+ -----END PGP SIGNATURE-----
Am 03.05.2014 20:32, schrieb Mark Lee:
To All,
Will Arch patch their version of OpenSSL?
Hi, my policy with openssl is to only follow upstream releases if possible. If we really need to apply patches they should already be committed into the upstream git repo. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
participants (2)
-
Mark Lee
-
Pierre Schmitz