| |||||||||||||||||||
Pardus alert 2010-119 (openssl)
------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-119 security@pardus.org.tr ------------------------------------------------------------------------ Date: 2010-09-03 Severity: 3 Type: Local ------------------------------------------------------------------------ Summary ======= A vulnerability has been fixed in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. Description =========== CVE-2010-2939: Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue. Affected packages: Pardus 2009: openssl, all before 0.9.8k-29-12 Resolution ========== There are update(s) for openssl. You can update them via Package Manager or with a single command from console: pisi up openssl References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=13982 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... ------------------------------------------------------------------------ _______________________________________________ Pardus-security mailing list Pardus-security@pardus.org.tr http://liste.pardus.org.tr/mailman/listinfo/pardus-security (Log in to post comments)
|
|||||||||||||||||||