Joined: 12 May 2004
|Posted: Sun Oct 07, 2007 11:26 pm Post subject: [ GLSA 200710-06 ] OpenSSL: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: OpenSSL: Multiple vulnerabilities (GLSA 200710-06)
Exploitable: local, remote
Date: October 07, 2007
Bug(s): #188799, #194039
A buffer underflow vulnerability and an information disclosure
vulnerability have been discovered in OpenSSL.
OpenSSL is an implementation of the Secure Socket Layer and Transport
Layer Security protocols.
Vulnerable: < 0.9.8e-r3
Unaffected: >= 0.9.8e-r3
Architectures: All supported architectures
Moritz Jodeit reported an off-by-one error in the
SSL_get_shared_ciphers() function, resulting from an incomplete fix of
CVE-2006-3738. A flaw has also been reported in the
BN_from_montgomery() function in crypto/bn/bn_mont.c when performing
A remote attacker sending a specially crafted packet to an application
relying on OpenSSL could possibly execute arbitrary code with the
privileges of the user running the application. A local attacker could
perform a side channel attack to retrieve the RSA private keys.
There is no known workaround at this time.
All OpenSSL users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8e-r3"
Last edited by GLSA on Fri Feb 15, 2013 4:25 am; edited 2 times in total