Mageia alert MGASA-2014-0187 (openssl) [LWN.net]

From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2014-0187: Updated openssl packages fix CVE-2010-5298 
Date:
    	       Wed, 23 Apr 2014 18:04:31 +0200
Message-ID:
    	       <20140423160431.D0268415D8@valstar.mageia.org>
MGASA-2014-0187 - Updated openssl packages fix CVE-2010-5298

Publication date: 23 Apr 2014
URL: http://advisories.mageia.org/MGASA-2014-0187.html
Type: security
Affected Mageia releases: 3, 4
CVE: CVE-2010-5298

Description:
Updated openssl packages fix security vulnerability:

A read buffer can be freed even when it still contains data that is used
later on, leading to a use-after-free. Given a race condition in a
multi-threaded application it may permit an attacker to inject data from
one connection into another or cause denial of service (CVE-2010-5298).

Also fixed in this update is a potential security issue with detection of
the "critical" flag for the TSA extended key usage under certain cases.

References:
- https://www.debian.org/security/2014/dsa-2908
- https://bugs.mageia.org/show_bug.cgi?id=13210
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298

SRPMS:
- 4/core/openssl-1.0.1e-8.4.mga4
- 3/core/openssl-1.0.1e-1.7.mga3

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2014-0187: Updated openssl packages fix CVE-2010-5298
Date:		Wed, 23 Apr 2014 18:04:31 +0200
Message-ID:		<20140423160431.D0268415D8@valstar.mageia.org>