 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Fri, 8 Aug 2014 10:30:35 +0200 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
On 08/08/2014 03:36 AM, Steven Haigh wrote:
> On 7/08/2014 2:04 PM, Steven Haigh wrote:
>> On 6/08/2014 11:54 AM, Steven Haigh wrote:
>>> On 6/08/2014 11:43 AM, Scott Dowdle wrote:
>>>> Greetings,
>>>>
>>>> ----- Original Message -----
>>>>> Hi guys,
>>>>>
>>>>> As an FYI, OpenSSL 0.9.8za, 1.0.0.m and 1.0.1h has been released with
>>>>> fixes for 7 vulnerabilities.
>>>>>
>>>>> http://www.openssl.org/news/secadv_20140605.txt
>>>>>
>>>>> Any news on updated packages in the pipeline?
>>>>
>>>> Look at the changelog for the current package (rpm -q --changelog openssl | less
>>>
>>> Actually, my bad. There is a new lot to be released on 6th August at
>>> some time after 20.30 UTC - I messed up remembering that date/time...
>>> I'm UTC+10 - which makes it about 0630 on the 7th for me...
>>>
>>> http://marc.info/?l=openssl-announce&m=140706520526876&w=2
>>>
>>> That means I gave up the wrong URL for the announcement.
>>>
>>> I guess the proper URL will become:
>>> http://www.openssl.org/news/secadv_20140806.txt
>>>
>>> Stay tuned for further I guess....
>>>
>>
>> This has just been published:
>>
>> OpenSSL Security Advisory [6 Aug 2014]
>> ========================================
>> Information leak in pretty printing functions (CVE-2014-3508)
>> Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
>> Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
>> Double Free when processing DTLS packets (CVE-2014-3505)
>> DTLS memory exhaustion (CVE-2014-3506)
>> DTLS memory leak from zero-length fragments (CVE-2014-3507)
>> OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
>> OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
>> SRP buffer overrun (CVE-2014-3512)
>
> Hmmm - I haven't managed to see any movement with TUV on these issues...
> I found the BZ reports, but I can't see any work in progress or testing
> / proposed updates.
Before producing and testing updates TUV has to find out whether his
code is affected at all by these issues. It might well be that the
relevant code segments are not part of TUVs releases or that for some
reason the issue has no security impact. So the first step is to find
out which version of which distribution/package is affected. Traces of
that you see in https://bugzilla.redhat.com/show_bug.cgi?id=1127490 for
CVE-2014-3508. You will also see that new bugzilla entries are created
for affected product versions.
Hope this helps,
Matthias
>
> I admit, I might be looking in the wrong places... Does anyone have any
> hints on where to track these?
>
|
|
|
