*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
Binary package hint: openssl
When trying to make our server PCI compliant I found that the latest
openssl package 0.9.8g-4ubuntu3.x hasn't been updated to address
CVE-2009-3245. This is surprising since it has been fixed and released
in Debian stable so I wonder if this is just an oversight here.
"OpenSSL before 0.9.8m does not check for a NULL return value from
bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2)
crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4)
engines/e_ubsec.c, which has unspecified impact and context-dependent
attack vectors."
Can we get these changes into the 8.04LTS openssl packages? Thanks.
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
CVE-2009-3245 not fixed for 8.04LTS
https://bugs.edge.launchpad.net/bugs/655884
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
