CyaSSL: Multiple vulnerabilities — GLSA 201612-53

Multiple vulnerabilities have been found in CyaSSL, the worst of which may allow attackers to execute arbitrary code.

Affected Packages

net-libs/cyassl on all architectures
Affected versions revision <= 2.9.4
Unaffected versions

Background

CyaSSL is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud.

Description

Multiple vulnerabilities have been discovered in CyaSSL. Please review the CVE identifiers referenced below for details.

Impact

An attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or conduct a man-in-the-middle attack.

Workaround

There is no known workaround at this time.

Resolution

Upstream has discontinued the software in favor of wolfSSL. Therefore, the CyaSSL package has been removed from the Gentoo repository and current users are advised to unmerge the package.

 # emerge --unmerge "net-libs/cyassl"
 

References

Release Date
December 31, 2016

Latest Revision
December 31, 2016: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries