Re: [SECURITY] [DSA 2950-1] openssl security update
On Thu, Jun 05, 2014 at 05:13:33PM +0100, Adam D. Barratt wrote:
> On 2014-06-05 15:46, Florian Zumbiehl wrote:
> >Hi,
> >
> >>Package : openssl
> >>CVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470
> >
> >is it intentional that you didn't fix CVE-2014-0198
>
> That was fixed last month - https://www.debian.org/security/2014/dsa-2931
So that's fixed since 1.0.1e-2+deb7u9
> >and CVE-2010-5298?
>
> https://security-tracker.debian.org/tracker/CVE-2010-5298 indicates that
> this is only an issue if OPENSSL_NO_BUF_FREELIST is enabled, which it's not
> in the Debian package. Is that not correct?
This was fixed in DSA-2908-1 (1.0.1e-2+deb7u7)
I think that comment is wrong. It depends on the use of the
SSL_MODE_RELEASE_BUFFERS options by applications.
As far as I know OPENSSL_NO_BUF_FREELIST will have an effect on
how likely it is that you run into a problem with it, but the
problem is always there.
Kurt
Reply to: