Package: openssl Version: 0.9.8o-4squeeze13 Severity: grave Tags: security Justification: user security hole
openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3]. As far as I can see the problem is gone in 1.0.1c - but I leave this bug open for unstable/testing so that it can be doublechecked by someone more versed in openssl. [1] http://security-tracker.debian.org/tracker/CVE-2011-5095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5095 [2] http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5095.html [3] http://cvs.openssl.org/chngview?cn=14375 cu AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages openssl depends on: ii libc6 2.13-33 ii libssl1.0.0 1.0.1c-3 ii zlib1g 1:1.2.7.dfsg-13 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20120623 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
