Full Disclosure mailing list archives
Re: [gentoo-announce] [ GLSA 200710-30 ] OpenSSL: Remote execution of arbitrary code
From: "Steffan Baron" <sbaron () open-source-consultants de>
Date: Thu, 1 Nov 2007 01:52:31 +0800
Sorry, but it seems that it is the other way around--vulnerable are versions < 0.9.8f, unaffected versions >= 0.9.8f. Gruß, Steffan On Tue, Oct 30, 2007, Pierre-Yves Rofes wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-30:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: OpenSSL: Remote execution of arbitrary code Date: October 27, 2007 Updated: October 30, 2007 Bugs: #195634 ID: 200710-30:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== OpenSSL contains a vulnerability allowing execution of arbitrary code or a Denial of Service. Background ========== OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl >= 0.9.8f < 0.9.8f Description =========== Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is caused due to an unspecified off-by-one error within the DTLS implementation. Impact ====== A remote attacker could exploit this issue to execute arbitrary code or cause a Denial of Service. Only clients and servers explicitly using DTLS are affected, systems using SSL and TLS are not. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8f" References ========== [ 1 ] CVE-2007-4995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4995 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-30.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJ65ouhJ+ozIKI5gRAgZBAJ9AxCEUPQdufW9CpSfknxulEzbKOACgkS9z i1D8SXsVh4DYdAFCXE5XMaU= =PTxu -----END PGP SIGNATURE----- -- gentoo-announce () gentoo org mailing list
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ GLSA 200710-30 ] OpenSSL: Remote execution of arbitrary code Pierre-Yves Rofes (Oct 30)
- Re: [gentoo-announce] [ GLSA 200710-30 ] OpenSSL: Remote execution of arbitrary code Steffan Baron (Oct 31)