FS#39832 - [openssl] OpenSSL is vulnerable to a use after free bug which may cause race conditions
Attached to Project:
Arch Linux
Opened by wes (Nisstyre56) - Sunday, 13 April 2014, 05:44 GMT
Last edited by Pierre Schmitz (Pierre) - Thursday, 05 June 2014, 15:52 GMT
Opened by wes (Nisstyre56) - Sunday, 13 April 2014, 05:44 GMT
Last edited by Pierre Schmitz (Pierre) - Thursday, 05 June 2014, 15:52 GMT
|
Details
Description: Latest versions of OpenSSL are vulnerable to a
use after free bug. OpenSSL tries to free a buffer before it
is empty which may cause a race condition that allows memory
injection between connections that share said buffer
(according to the OpenBSD security team).
There is a patch and advisory available at http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch This seems to be the affected line in OpenSSL: https://github.com/openssl/openssl/blob/master/ssl/s3_pkt.c#L1337 Versions: 1.0.1f and 1.0.1g are known to have the bug. |
This task depends upon
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
Since waiting for upstream to react isn't pro-active,
please apply the patch as soon as possible as it affects all openssl versions according to the CVE.
http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch
or
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig
Patches are identical and just for reference here.
Official OpenSSL Security Advisory states:
----------- 8< snip >8 -------------
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
===============================================================================
A race condition in the ssl3_read_bytes function can allow remote
attackers to inject data across sessions or cause a denial of service.
This flaw only affects multithreaded applications using OpenSSL 1.0.0
and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
default and not common.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.
This issue was reported in public.
----------- 8< snip >8 -------------
For any future security fixes in regard to openssl,
I ask here very politely that you consider applying patches
rather sooner and not waiting almost two months.