On 7/08/2014 2:04 PM, Steven Haigh wrote: > On 6/08/2014 11:54 AM, Steven Haigh wrote: >> On 6/08/2014 11:43 AM, Scott Dowdle wrote: >>> Greetings, >>> >>> ----- Original Message ----- >>>> Hi guys, >>>> >>>> As an FYI, OpenSSL 0.9.8za, 1.0.0.m and 1.0.1h has been released with >>>> fixes for 7 vulnerabilities. >>>> >>>> http://www.openssl.org/news/secadv_20140605.txt >>>> >>>> Any news on updated packages in the pipeline? >>> >>> Look at the changelog for the current package (rpm -q --changelog openssl | less >> >> Actually, my bad. There is a new lot to be released on 6th August at >> some time after 20.30 UTC - I messed up remembering that date/time... >> I'm UTC+10 - which makes it about 0630 on the 7th for me... >> >> http://marc.info/?l=openssl-announce&m=140706520526876&w=2 >> >> That means I gave up the wrong URL for the announcement. >> >> I guess the proper URL will become: >> http://www.openssl.org/news/secadv_20140806.txt >> >> Stay tuned for further I guess.... >> > > This has just been published: > > OpenSSL Security Advisory [6 Aug 2014] > ======================================== > Information leak in pretty printing functions (CVE-2014-3508) > Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) > Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) > Double Free when processing DTLS packets (CVE-2014-3505) > DTLS memory exhaustion (CVE-2014-3506) > DTLS memory leak from zero-length fragments (CVE-2014-3507) > OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) > OpenSSL TLS protocol downgrade attack (CVE-2014-3511) > SRP buffer overrun (CVE-2014-3512) Hmmm - I haven't managed to see any movement with TUV on these issues... I found the BZ reports, but I can't see any work in progress or testing / proposed updates. I admit, I might be looking in the wrong places... Does anyone have any hints on where to track these? -- Steven Haigh Email: [log in to unmask] Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299