Package: openssl Version: 0.9.8c-4, 0.9.7e-3sarge4 Severity: critical Tags: sarge, etch, security
According to http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5135 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135 is not yet available): Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. According to the German IT news magazin "Heise Online", 0.9.7m and 0.9.8e are also affected: http://www.heise.de/security/news/meldung/96710 Original source seems to be this Bugtraq posting: http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded According to this posting, all lower versions are affected, too. The release dates of 0.9.8e and 0.9.7m and the time line in the above mentioned Bugtraq posting suggest that not only 0.9.7l and 0.9.8d but also 0.9.7m and 0.9.8e are affected -- as Heise wrote. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.22.3-amd64-1 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages openssl depends on: ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libssl0.9.8 0.9.8c-4 SSL shared libraries ii zlib1g 1:1.2.3-13 compression library - runtime openssl recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]