FS#40251 - [openssl] CVE-2014-0198 - apply security patch
Attached to Project:
Arch Linux
Opened by Sapalot (superfranky) - Tuesday, 06 May 2014, 21:55 GMT
Last edited by Pierre Schmitz (Pierre) - Thursday, 05 June 2014, 15:51 GMT
Opened by Sapalot (superfranky) - Tuesday, 06 May 2014, 21:55 GMT
Last edited by Pierre Schmitz (Pierre) - Thursday, 05 June 2014, 15:51 GMT
|
Details
Description: An attacker can trigger generation of an SSL
alert which could cause a null pointer dereference.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198 'The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.' Spotted and fixed by the OpenBSD guys with the following patch: http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/009_openssl.patch http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig Patches are identical and just here for reference. Affected Openssl versions: 1.0.0 up to 1.0.1g. Since waiting for upstream to react isn't pro-active, please apply the patch as soon as possible. |
This task depends upon
I uploaded the changes for the PKGBUILD to apply both OpenBSD patches for CVE-2014-0198 and CVE-2010-5298 (which has been reported here: https://bugs.archlinux.org/task/39832).
+ switched from md5sums to sha1sums
Official OpenSSL Security Advisory states:
----------- 8< snip >8 -------------
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=================================================================
A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference. This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.
This issue was reported in public. The fix was developed by
Matt Caswell of the OpenSSL development team.
----------- 8< snip >8 -------------
For any future security fixes in regard to openssl,
I ask here very politely that you consider applying patches
rather sooner and not waiting over a month.