OpenSSL: Remote execution of arbitrary code — GLSA 200710-30

OpenSSL contains a vulnerability allowing execution of arbitrary code or a Denial of Service.

Affected Packages

dev-libs/openssl on all architectures
Affected versions < 0.9.8f
Unaffected versions >= 0.9.8f

Background

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library.

Description

Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is caused due to an unspecified off-by-one error within the DTLS implementation.

Impact

A remote attacker could exploit this issue to execute arbitrary code or cause a Denial of Service. Only clients and servers explicitly using DTLS are affected, systems using SSL and TLS are not.

Workaround

There is no known workaround at this time.

Resolution

All OpenSSL users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8f"

References

Release Date
October 27, 2007

Latest Revision
October 30, 2007: 03

Severity
high

Exploitable
remote

Bugzilla entries