blob: cdd5b3289e056e97898ee68411561fc8e14f17ae [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200710-30">
<title>OpenSSL: Remote execution of arbitrary code</title>
OpenSSL contains a vulnerability allowing execution of arbitrary code or a
Denial of Service.
<product type="ebuild">openssl</product>
<announced>October 27, 2007</announced>
<revised>October 30, 2007: 03</revised>
<package name="dev-libs/openssl" auto="yes" arch="*">
<unaffected range="ge">0.9.8f</unaffected>
<vulnerable range="lt">0.9.8f</vulnerable>
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is
caused due to an unspecified off-by-one error within the DTLS
<impact type="high">
A remote attacker could exploit this issue to execute arbitrary code or
cause a Denial of Service. Only clients and servers explicitly using
DTLS are affected, systems using SSL and TLS are not.
There is no known workaround at this time.
All OpenSSL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-libs/openssl-0.9.8f&quot;</code>
<uri link="">CVE-2007-4995</uri>
<metadata tag="requester" timestamp="Tue, 16 Oct 2007 17:07:11 +0000">
<metadata tag="bugReady" timestamp="Tue, 16 Oct 2007 17:07:40 +0000">
<metadata tag="submitter" timestamp="Tue, 23 Oct 2007 17:06:07 +0000">