From: bugzilla at busybox.net <bugzilla@busybox.net>
To: buildroot@busybox.net
Subject: [Buildroot] [Bug 703] New: [SECURITY] Update openssl package to 0.9.8l
Date: Tue, 10 Nov 2009 17:22:21 +0000 (UTC) [thread overview]
Message-ID: <bug-703-163@https.bugs.busybox.net/> (raw)
https://bugs.busybox.net/show_bug.cgi?id=703
Host: i686-linux
Target: arm-softfloat-linux-uclibcgnueabi
Summary: [SECURITY] Update openssl package to 0.9.8l
Product: buildroot
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: major
Priority: P5
Component: Outdated package
AssignedTo: unassigned at buildroot.uclibc.org
ReportedBy: gustavo at zacarias.com.ar
CC: buildroot at uclibc.org
Estimated Hours: 0.0
Created an attachment (id=731)
--> (https://bugs.busybox.net/attachment.cgi?id=731)
Bump openssl package to 0.9.8l + security fixes
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier
0.9.8 versions allows remote attackers to cause a denial of service (memory
consumption) via a large series of "future epoch" DTLS records that are
buffered in a queue, aka "DTLS record buffer limitation bug."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
Multiple memory leaks in the dtls1_process_out_of_seq_message function in
ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote
attackers to cause a denial of service (memory consumption) via DTLS records
that (1) are duplicates or (2) have sequence numbers much greater than current
sequence numbers, aka "DTLS fragment handling memory leak."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function
in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a
denial of service (openssl s_client crash) and possibly have unspecified other
impact via a DTLS packet, as demonstrated by a packet from a server that uses a
crafted server certificate.
--
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
next reply other threads:[~2009-11-10 17:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-10 17:22 bugzilla at busybox.net [this message]
2009-11-15 23:00 ` [Buildroot] [Bug 703] [SECURITY] Update openssl package to 0.9.8l bugzilla at busybox.net
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-703-163@https.bugs.busybox.net/ \
--to=bugzilla@busybox.net \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.