Bug 623483 (CVE-2010-2939)
Summary: | CVE-2010-2939 openssl: double-free vulnerability in ssl3_get_key_exchange() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | bressers, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-08-12 16:34:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vincent Danen
2010-08-11 21:41:54 UTC
I'm not 100% sure of the impact here as it looks like it might just be in the openssl client. I don't know if this code is used by other clients linked to the openssl libraries or not, so at this point cannot say if other applications are impacted by this. Except this code is not compiled in on our openssl - no ECC support there. ECC or ECDH? So where this problem falls, we don't compile that support into any version of openssl we provide? Yes, it's in #ifndef OPENSSL_NO_ECDH. And the ECDH is not even in the source tarball due to patent concerns with ECC. Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, or 5 as they did not include support for ECDH. |