Security
Security
A buffer underflow vulnerability and an information disclosure vulnerability have been discovered in OpenSSL.
| Package | dev-libs/openssl on all architectures |
|---|---|
| Affected versions | < 0.9.8e-r3 |
| Unaffected versions | >= 0.9.8e-r3 |
OpenSSL is an implementation of the Secure Socket Layer and Transport Layer Security protocols.
Moritz Jodeit reported an off-by-one error in the SSL_get_shared_ciphers() function, resulting from an incomplete fix of CVE-2006-3738. A flaw has also been reported in the BN_from_montgomery() function in crypto/bn/bn_mont.c when performing Montgomery multiplication.
A remote attacker sending a specially crafted packet to an application relying on OpenSSL could possibly execute arbitrary code with the privileges of the user running the application. A local attacker could perform a side channel attack to retrieve the RSA private keys.
There is no known workaround at this time.
All OpenSSL users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8e-r3"