This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig73BF8446F824FBBDB41D9E8A Content-Type: text/plain; charset=UTF- Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High Title: OpenSSL: Multiple vulnerabilities Date: October 09, 2011 Bugs: #303739, #308011, #322575, #332027, #345767, #347623, #354139, #382069 ID: 201110-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Multiple vulnerabilities were found in OpenSSL, allowing for the execution of arbitrary code and other attacks.
Background ==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 1.0.0e >= 1.0.0e
Description ===========
Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details.
Impact ======
A context-dependent attacker could cause a Denial of Service, possibly execute arbitrary code, bypass intended key requirements, force the downgrade to unintended ciphers, bypass the need for knowledge of shared secrets and successfully authenticate, bypass CRL validation, or obtain sensitive information in applications that use OpenSSL.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All OpenSSL users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.0e"
NOTE: This is a legacy GLSA. Updates for all affected architectures are available since September 17, 2011. It is likely that your system is already no longer affected by most of these issues.
References ==========
[ 1 ] CVE-2009-3245 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3245 [ 2 ] CVE-2009-4355 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4355 [ 3 ] CVE-2010-0433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0433 [ 4 ] CVE-2010-0740 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740 [ 5 ] CVE-2010-0742 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0742 [ 6 ] CVE-2010-1633 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1633 [ 7 ] CVE-2010-2939 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2939 [ 8 ] CVE-2010-3864 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3864 [ 9 ] CVE-2010-4180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4180 [ 10 ] CVE-2010-4252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4252 [ 11 ] CVE-2011-0014 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0014 [ 12 ] CVE-2011-3207 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3207 [ 13 ] CVE-2011-3210 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3210
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-01.xml
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License =======
Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--------------enig73BF8446F824FBBDB41D9E8A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJOkb+eAAoJEByNLmvcM7Du4w8P/jrkqZeULthEcAofB3rnZaH8 AUBEqz87QCzCeJBZyzgdCoxpyknaCmiHQL1oxYl3ra/CUhTwHUl3gYPg1oHtwZlN 9yu4t/yXAQaY+Nj9LoG0oTnJ135AOH1SDXZa39hWI57FGYJKziQYlCfCOrpmqzNs yrDx/48JohQO4KMCNBdh2qirjzinKychkUJDAPfIffBhnS4Os+WqLfcNsZRuUnFu vqgQvaIgoDOqKt76Xc8+P/2XjifyVzY/cM6EknaWXpF3GmYn5VFSNE1GkgjZ3KR0 RV98SVnz1TqhcAxo/5NDjEW69jnEXRgRQsQMm9h+C6V2wHb5/A2OHZ5veXOiQA6/ 4uE5Rc64kqsCBVT2WMdYWnuJ8mO0bLOh26BTunSo/9lXtAxhG6a/zEO47Z1Q3mqG 49aEnkYD0Qtf/DdoLlUhVkdRU5Mwy+CVz0Etu3C+/sCVhPuqePFzRAYKaF/7tc9k gTZf5JZoJNmGdJqBIxywuX8E2esRlge98qmsAwQbJTMDDHdzbDUlJFmag+7YILy7 ajzGhIMiVlYcSE1g30QJPR0fmK7Uzzw7fjrMFzwENV77ioDYy+nq1wKeLk0oMqVK ahc1HihMowo5+8J+YFCh6lnz7pRjZJtUC2ETa+IOTJ7J8Z2tCq106K1yKxtPNlPh U/g1q5Z8UG8K7qZPBbdr =F1Cm -----END PGP SIGNATURE-----
--------------enig73BF8446F824FBBDB41D9E8A--
|