Bug 208744
Summary: | openssl - patch for CVE-2006-2940 Parasitic Public Keys has issues | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Michal Jaegermann <michal> |
Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | low | Docs Contact: | |
Priority: | urgent | ||
Version: | 4.0 | CC: | bugs-redhat, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-07-25 11:25:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 209116 |
Description
Michal Jaegermann
2006-10-01 14:03:06 UTC
May I ask what happens with this issue? This bug report got marked "urgent" nearly a month ago, openssl-0.9.8b-8 and openssl097a-0.9.7a-9 showed up in rawhide (now FC6) with a correction, but so far nothing in RHEL or FC5. Well, the status is still ASSIGNED. Thes issue does indeed affect Red Hat's OpenSSL fix for CVE-2006-2940. We consider this flaw to be very low severity as based on our security response team analysis all it can cause is a client crash upon processing a malicious client certificate. Upstream also class this issue as low severity and although it is fixed in OpenSSL CVS, no new release was produced to correct this issue. We plan to address this issue when a future OpenSSL update is needed. This was fixed in RHEL-4.5 openssl errata. |