Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Jan 2009 14:39:44 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com
Subject: CVE Request -- tsqllib, slurm-llnl, libnasl,
	libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto

Hello Steve,

  could you please allocate CVE ids for the following OpenSSL's
CVE-2008-5077 related issues:

tsqllib:  https://bugzilla.redhat.com/show_bug.cgi?id=479650
          http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511509

libnasl: https://bugzilla.redhat.com/show_bug.cgi?id=479655
         http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511517

boinc-client: https://bugzilla.redhat.com/show_bug.cgi?id=479664
              http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511521

m2crypto: https://bugzilla.redhat.com/show_bug.cgi?id=479676
          http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515

Other related issues (probably more to come):
slurm-llnl:                 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511511
libcrypt-openssl-dsa-perl:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519
erlang:                     http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511520
                            (Lower severity issue due the fact, the output of
                             DSA_do_verify function is further processed and
                             sent back to the caller, where it is compared against 1:

>>From lib/crypto/src/crypto.erl:

dss_verify(Dgst,Signature,Key) ->
    control(?DSS_VERIFY, [Dgst,Signature,Key]) == <<1>>.

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ