[arch-security] OpenSSL: CVE-2014-0198
Mark Lee
mark at markelee.com
Sun May 18 12:29:53 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
To all,
I already reported this. Here was my response from one of the developers:
Regards,
Mark
> Am 03.05.2014 20:32, schrieb Mark Lee:
>> To All,
>>
>> Will Arch patch their version of OpenSSL?
>
> Hi,
>
> my policy with openssl is to only follow upstream releases if
> possible. If we really need to apply patches they should already be
> committed into the upstream git repo.
>
> Greetings,
>
> Pierre
>
> -- Pierre Schmitz, https://pierre-schmitz.com
> _______________________________________________ arch-security
> mailing list arch-security at archlinux.org
> https://mailman.archlinux.org/mailman/listinfo/arch-security
On 05/18/2014 11:32 AM, ushi wrote:
> Hey all,
>
> This affects OpenSSL 1.x through 1.0.1g - The function
> do_ssl3_write is broken, when used with SSL_MODE_RELEASE_BUFFERS.
>
> According to the RedHat bug tracker, this is done at least by ruby
> and nodejs:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1093837#c1
>
> Nist:
>
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198
>
> Debian Security Tracker:
>
> https://security-tracker.debian.org/tracker/CVE-2014-0198
>
> Fix:
>
> https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b107586
>
>
_______________________________________________
> arch-security mailing list arch-security at archlinux.org
> https://mailman.archlinux.org/mailman/listinfo/arch-security
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlN44AEACgkQZ/Z80n6+J/bglQD+NBqiobR1AARw+Ma01hFixlaO
jHgH7itn24fGRojGqN4A/RclYBgqbP4KTWKGrQSTZFNGdR9oqG5fprguv3h1rPx2
=51pJ
-----END PGP SIGNATURE-----
More information about the arch-security
mailing list