On Mon, Jun 08, 2009 at 08:57:20PM +0200, Kurt Roeckx wrote: > On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote: > > Package: openssl > > Severity: serious > > Tags: security > > > > > > Hi, > > the following CVE (Common Vulnerabilities & Exposures) ids were > > published for openssl. > > > > CVE-2009-1386[0]: > > | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause > > | a denial of service (NULL pointer dereference and daemon crash) via a > > | DTLS ChangeCipherSpec packet that occurs before ClientHello. > > > > CVE-2009-1387[1]: > > | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in > > | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial > > | of service (NULL pointer dereference and daemon crash) via an > > | out-of-sequence DTLS handshake message, related to a "fragment bug." > > Packages for stable and olstable are available at: > http://people.debian.org/~kroeckx/openssl/ > > Note that the issues fixed in previous versions were never > uploaded to the security archive, so both fix 5 CVEs.
Hi, Nothing happened with this yet. Are you planning on releasing a DSA for this, or should I just upload them to proposed-updates instead? Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
