Bug 771778 (CVE-2011-4577)
Summary: | CVE-2011-4577 openssl: malformed RFC 3779 data can cause assertion failures | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | erik-fedora, jlieskov, kalevlember, ktietz, lfarkas, rjones, tmraz, wnefal+redhatbugzilla |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-09-25 07:57:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 773239, 773240, 773330, 773331, 846586 | ||
Bug Blocks: | 771783 |
Description
Vincent Danen
2012-01-04 22:47:28 UTC
Seems to be the fix here: http://cvs.openssl.org/chngview?cn=21955 Unfortunately we do enable RFC3779 on RHEL-6 and Fedora. According to upstream NEWS file, support for RFC 3779 was introduced in version 0.9.8e. Hence the affected code is present in the sources for openssl in Red Hat Enterprise Linux 5 and openssl098e in Red Hat Enterprise Linux 6, but is not compiled in and used. Hence those versions are not affected by this issue. openssl-1.0.0f-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. Created mingw32-openssl tracking bugs for this issue Affects: fedora-all [bug 773330] Affects: epel-5 [bug 773331] openssl-1.0.0f-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4 and 5. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0059 https://rhn.redhat.com/errata/RHSA-2012-0059.html This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2012:0109 https://rhn.redhat.com/errata/RHSA-2012-0109.html |