[Pkg-openssl-devel] CVE-2007-4995 and CVE-2007-5135
Kurt Roeckx
kurt at roeckx.be
Wed Mar 12 22:04:23 UTC 2008
On Tue, Mar 11, 2008 at 05:43:36PM -0400, Bennet Fauber wrote:
> Sorry to bother you with questions. We've found a great deal of confusion
> about the two vulnerabilities CVE-2007-4995 and CVE-2007-5135. These were
> reported in the same addvisory from openssl,
>
> http://www.openssl.org/news/secadv_20071012.txt
>
> on Oct 12, 2008. The two bugs appear to affect slightly different sets of
^^^^
I guess you mean 2007.
> openssl versions, and they both appear to be off-by-one errors. I think I
> see that one, CVE-2007-5135, which was off-by-one in the
> SSL_get_shared_ciphers() function from the changelog, but I don't see any
> reference to CVE-2007-4995 which may not have been reported until Oct.
> The second of these affects DTLS, and I have been unable to find anyplace
> where DTLS is actually used, so it may not matter much.
>
> But, there is a security department sending me nagging letters, so I
> thought I would ask whether you know anything about that second bug and
> whether it is likely to be addressed?
There is an overview available at:
http://security-tracker.debian.net/tracker/source-package/openssl
Which still lists those as outstanding:
CVE-2007-3108
CVE-2007-4995
About CVE-2007-5135:
This is the Off-by-one error in the SSL_get_shared_ciphers(). This has
been fixed in all versions of openssl in oldstable, stable, testing and
unstable. There is an overview at:
http://security-tracker.debian.net/tracker/CVE-2007-5135
Then there is CVE-2007-4995:
This is about DTLS, some advisaries claim it's an off-by-one error, but
it's a rather big change for an off-by-one error. It's new since 0.9.8.
You're probably not using it. DTLS is for datagram protocols such as UDP.
As far as I know until the "fixed" version, support for it wasn't that
good. You can see an overview of the status at:
http://security-tracker.debian.net/tracker/CVE-2007-4995
It only lists the version in etch (0.9.8c-4etch1) as not fixed. I
recently got a patch from redhat from our security team. It's about
1600 lines long, which is one of the reasons this wasn't backported.
I plan to upload that to stable proposed updates soon.
About CVE-2007-3108:
This is also still open for stable and oldstable. It's only a local
attack and so is low priority. Since I'll do an upload to
stable-proposed updates, it's a good time to also fix this one there. I
don't plan to do an update for oldstable.
Kurt
More information about the Pkg-openssl-devel
mailing list