Bug 1127896

Summary: mingw32-openssl: multiple unfixed security flaws
Product: [Fedora] Fedora EPEL Reporter: Tomas Hoger <thoger>
Component: mingw32-opensslAssignee: Richard W.M. Jones <rjones>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: el5CC: erik-fedora, jtfas90, lfarkas, rjones
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-01 13:32:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 476671, 492304, 492623, 501253, 501254, 501572, 503688, 533125, 546707, 569774, 570924, 576584, 598738, 649304, 659462, 676063, 908052    

Description Tomas Hoger 2014-08-07 19:00:24 UTC 
Looking at the list of bugs for mingw32-openssl in EPEL-5 for various security issues, I did a cross check of what's tracked, and what is listed as affecting 0.9.8j on the upstream vulnerability page:

https://www.openssl.org/news/vulnerabilities.html

The check yielded another long list of issues that were never fixed in EPEL-5.

CVE-2008-5077 CVE-2009-0590 CVE-2009-0591 CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387 CVE-2009-3245 CVE-2009-3555 CVE-2009-4355 CVE-2010-0433 CVE-2010-0740 CVE-2010-0742 CVE-2010-3864 CVE-2010-4180 CVE-2011-0014 CVE-2013-0166

+ CVE-2009-0789, which may not affect mingw32-openssl
Comment 1 Erik van Pienbroek 2014-09-01 13:32:29 UTC 
All mingw32 packages have been removed from EPEL-5 as per https://fedorahosted.org/rel-eng/ticket/5977