[arch-security] OpenSSL NULL pointer dereference in do_ssl3_write
Mark Lee
mark at markelee.com
Fri May 2 14:29:13 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
To all,
Not sure if we're affected, but see below for email details.
Regards,
Mark
> On 05/02/2014 09:30 AM, Marc Deslauriers wrote:
>> Hello,
>>
>> A null pointer dereference bug was discovered in
>> so_ssl3_write(). An attacker could possibly use this to cause
>> OpenSSL to crash, resulting in a denial of service.
>>
>> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321
>>
>>
>>
>>
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21
>>
>>
>> http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig
>>
>>
>>
Could a CVE please be assigned to this issue?
>>
>> Thanks,
>>
>> Marc.
>>
>
> I think getting this one a CVE is time critical. Mitre: sorry if
> this causes a duplicate, but I'm assigning a CVE now. Please use
> CVE-2014-0198 for this issue. Also cc'ing Theo so OpenBSD gets
> notified for sure. Speaking of which Theo: should we get you or an
> OpenBSD deputy (Bob Beck?) onto distros@?
>
> -- Kurt Seifried Red Hat Security Response Team (SRT) PGP:
> 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iF4EAREIAAYFAlNj4/kACgkQZ/Z80n6+J/ZsowD+K/0ctwnVZwrFY37G8aUaSBXf
th2NoIQeFiR/fp1ean0A/1Ik5c/tCHMBR6dv+uJD+F8wSgGAoCAh/einDFlgfZjS
=QeNS
-----END PGP SIGNATURE-----
More information about the arch-security
mailing list