On 7/08/2014 2:04 PM, Steven Haigh wrote:
> On 6/08/2014 11:54 AM, Steven Haigh wrote:
>> On 6/08/2014 11:43 AM, Scott Dowdle wrote:
>>> Greetings,
>>>
>>> ----- Original Message -----
>>>> Hi guys,
>>>>
>>>> As an FYI, OpenSSL 0.9.8za, 1.0.0.m and 1.0.1h has been released with
>>>> fixes for 7 vulnerabilities.
>>>>
>>>> http://www.openssl.org/news/secadv_20140605.txt
>>>>
>>>> Any news on updated packages in the pipeline?
>>>
>>> Look at the changelog for the current package (rpm -q --changelog openssl | less
>>
>> Actually, my bad. There is a new lot to be released on 6th August at
>> some time after 20.30 UTC - I messed up remembering that date/time...
>> I'm UTC+10 - which makes it about 0630 on the 7th for me...
>>
>> http://marc.info/?l=openssl-announce&m=140706520526876&w=2
>>
>> That means I gave up the wrong URL for the announcement.
>>
>> I guess the proper URL will become:
>> http://www.openssl.org/news/secadv_20140806.txt
>>
>> Stay tuned for further I guess....
>>
> 
> This has just been published:
> 
> OpenSSL Security Advisory [6 Aug 2014]
> ========================================
> Information leak in pretty printing functions (CVE-2014-3508)
> Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
> Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
> Double Free when processing DTLS packets (CVE-2014-3505)
> DTLS memory exhaustion (CVE-2014-3506)
> DTLS memory leak from zero-length fragments (CVE-2014-3507)
> OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
> OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
> SRP buffer overrun (CVE-2014-3512)

Hmmm - I haven't managed to see any movement with TUV on these issues...
I found the BZ reports, but I can't see any work in progress or testing
/ proposed updates.

I admit, I might be looking in the wrong places... Does anyone have any
hints on where to track these?

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299