OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 18-Mar-2004 14:18:38
Branch: HEAD Handle: 2004031813183800
Modified files:
openpkg-web/security OpenPKG-SA-2004.007-openssl.txt
Log:
flush pending changes
Summary:
Revision Changes Path
1.3 +10 -10 openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
============================================================================
$ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2004.007-openssl.txt
--- openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 12:39:10
-0000 1.2
+++ openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 13:18:38
-0000 1.3
@@ -48,28 +48,28 @@
samba sasl sendmail siege sio sitecopy snort socat
squid stunnel suck tcpdump vorbis-tools w3m wget
- (*) many packages are only affected if they or their
- underlying packages used certain TLS/SSL related
+ (*) many packages are only affected if they (or their
+ underlying packages) used certain TLS/SSL related
options ("with_xxx") during build time. Above is
a worst case list. Packages known to only use
libcrypo without libssl are not affected and were
already omitted from the list.
Description:
- According to an OpenSSL [0] security advisory [1], denial of service
+ According to an OpenSSL [0] security advisory [1], a denial of service
vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive
and versions 0.9.7a to 0.9.7c inclusive.
Testing performed by the OpenSSL group uncovered a null-pointer
assignment in the do_change_cipher_spec() function. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
- CAN-2004-0079 [3] to the problem.
+ CAN-2004-0079 [2] to the problem.
Stephen Henson discovered a flaw in SSL/TLS handshaking code
- when using Kerberos ciphersuites. The OpenPKG makes no use of
- this functionality but the patch was included anyway. The Common
- Vulnerabilities and Exposures (CVE) project assigned the id
- CAN-2004-0112 [2] to the problem.
+ when using Kerberos ciphersuites. The OpenPKG packages make no
+ use of this functionality but the patch was included anyway. The
+ Common Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2004-0112 [3] to the problem.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssl". If you have the "openssl" package installed and its version
@@ -101,8 +101,8 @@
________________________________________________________________________
References:
- [0] http://www.openssl.org/news/secadv_20040317.txt
- [1] http://www.openssl.org/
+ [0] http://www.openssl.org/
+ [1] http://www.openssl.org/news/secadv_20040317.txt
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
[4] http://www.openpkg.org/tutorial.html#regular-source
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
