Sorry, but it seems that it is the other way around--vulnerable are versions < 0.9.8f, unaffected versions >= 0.9.8f. Gruß, Steffan On Tue, Oct 30, 2007, Pierre-Yves Rofes wrote: > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >Gentoo Linux Security Advisory GLSA 200710-30:02 >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > http://security.gentoo.org/ >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Severity: High > Title: OpenSSL: Remote execution of arbitrary code > Date: October 27, 2007 > Updated: October 30, 2007 > Bugs: #195634 > ID: 200710-30:02 > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > >Synopsis >======== > >OpenSSL contains a vulnerability allowing execution of arbitrary code >or a Denial of Service. > >Background >========== > >OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer >(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general >purpose cryptography library. > >Affected packages >================= > > ------------------------------------------------------------------- > Package / Vulnerable / Unaffected > ------------------------------------------------------------------- > 1 dev-libs/openssl >= 0.9.8f < 0.9.8f > >Description >=========== > >Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is >caused due to an unspecified off-by-one error within the DTLS >implementation. > >Impact >====== > >A remote attacker could exploit this issue to execute arbitrary code or >cause a Denial of Service. Only clients and servers explicitly using >DTLS are affected, systems using SSL and TLS are not. > >Workaround >========== > >There is no known workaround at this time. > >Resolution >========== > >All OpenSSL users should upgrade to the latest version: > > # emerge --sync > # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8f" > >References >========== > > [ 1 ] CVE-2007-4995 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4995 > >Availability >============ > >This GLSA and any updates to it are available for viewing at >the Gentoo Security Website: > > http://security.gentoo.org/glsa/glsa-200710-30.xml > >Concerns? >========= > >Security is a primary focus of Gentoo Linux and ensuring the >confidentiality and security of our users machines is of utmost >importance to us. Any security concerns should be addressed to >security@xxxxxxxxxx or alternatively, you may file a bug at >http://bugs.gentoo.org. > >License >======= > >Copyright 2007 Gentoo Foundation, Inc; referenced text >belongs to its owner(s). > >The contents of this document are licensed under the >Creative Commons - Attribution / Share Alike license. > >http://creativecommons.org/licenses/by-sa/2.5 >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.7 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFHJ65ouhJ+ozIKI5gRAgZBAJ9AxCEUPQdufW9CpSfknxulEzbKOACgkS9z >i1D8SXsVh4DYdAFCXE5XMaU= >=PTxu >-----END PGP SIGNATURE----- >-- >gentoo-announce@xxxxxxxxxx mailing list
Attachment:
pgp21oD2vUMvr.pgp
Description: PGP signature