On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote: > Package: openssl > Severity: serious > Tags: security > > > Hi, > the following CVE (Common Vulnerabilities & Exposures) ids were > published for openssl. > > CVE-2009-1386[0]: > | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause > | a denial of service (NULL pointer dereference and daemon crash) via a > | DTLS ChangeCipherSpec packet that occurs before ClientHello.
So this is already fixed in unstable, but not in testing/stable/oldstable. Since this seems to be DTLS related, this doesn't affect openssl097. > CVE-2009-1387[1]: > | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in > | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial > | of service (NULL pointer dereference and daemon crash) via an > | out-of-sequence DTLS handshake message, related to a "fragment bug." I'll upload this to unstable, and provided fixed packages for stable/oldstable for both issues. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
