1127896 – mingw32-openssl: multiple unfixed security flaws

Bug 1127896 - mingw32-openssl: multiple unfixed security flaws

Summary: mingw32-openssl: multiple unfixed security flaws

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	mingw32-openssl
Sub Component:
Version:	el5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Richard W.M. Jones
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2008-5077 CVE-2009-0590 CVE-2009-0591 CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387 CVE-2009-3555 CVE-2009-4355 CVE-2010-0433 CVE-2009-3245 CVE-2010-0740 CVE-2010-0742 CVE-2010-3864 CVE-2010-4180 CVE-2011-0014 CVE-2013-0166
TreeView+	depends on / blocked

Reported:	2014-08-07 19:00 UTC by Tomas Hoger
Modified:	2014-09-01 13:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-09-01 13:32:29 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2014-08-07 19:00:24 UTC

Looking at the list of bugs for mingw32-openssl in EPEL-5 for various security issues, I did a cross check of what's tracked, and what is listed as affecting 0.9.8j on the upstream vulnerability page:

https://www.openssl.org/news/vulnerabilities.html

The check yielded another long list of issues that were never fixed in EPEL-5.

CVE-2008-5077 CVE-2009-0590 CVE-2009-0591 CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387 CVE-2009-3245 CVE-2009-3555 CVE-2009-4355 CVE-2010-0433 CVE-2010-0740 CVE-2010-0742 CVE-2010-3864 CVE-2010-4180 CVE-2011-0014 CVE-2013-0166

+ CVE-2009-0789, which may not affect mingw32-openssl

Comment 1 Erik van Pienbroek 2014-09-01 13:32:29 UTC

All mingw32 packages have been removed from EPEL-5 as per https://fedorahosted.org/rel-eng/ticket/5977

Note You need to log in before you can comment on or make changes to this bug.