oss-sec mailing list archives

CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 12 Jan 2009 14:39:44 +0100

Hello Steve,

  could you please allocate CVE ids for the following OpenSSL's
CVE-2008-5077 related issues:

tsqllib:  https://bugzilla.redhat.com/show_bug.cgi?id=479650
          http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511509

libnasl: https://bugzilla.redhat.com/show_bug.cgi?id=479655
         http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511517

boinc-client: https://bugzilla.redhat.com/show_bug.cgi?id=479664
              http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511521

m2crypto: https://bugzilla.redhat.com/show_bug.cgi?id=479676
          http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515

Other related issues (probably more to come):
slurm-llnl:                 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511511
libcrypt-openssl-dsa-perl:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519
erlang:                     http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511520
                            (Lower severity issue due the fact, the output of
                             DSA_do_verify function is further processed and
                             sent back to the caller, where it is compared against 1:

From lib/crypto/src/crypto.erl:


dss_verify(Dgst,Signature,Key) ->
    control(?DSS_VERIFY, [Dgst,Signature,Key]) == <<1>>.

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto Jan Lieskovsky (Jan 12)
- Re: CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto Steven M. Christey (Jan 20)