First published: Tue Jun 01 2010(Updated: )
From the upstream advisory [1]: Invalid Return value check in pkey_rsa_verifyrecover ==================================================== When verification recovery fails for RSA keys an uninitialised buffer with an undefined length is returned instead of an error code (<a href="https://access.redhat.com/security/cve/CVE-2010-1633">CVE-2010-1633</a>). This bug is only present in OpenSSL 1.0.0 and only affects applications that call the function EVP_PKEY_verify_recover(). As this function is not present in previous versions of OpenSSL and not used by OpenSSL internal code very few applications should be affected. The OpenSSL utility application "pkeyutl" does use this function. Affected users should update to 1.0.0a which contains a patch to correct this bug. Thanks to Peter-Michael Hager for reporting this issue. [1] <a href="http://www.openssl.org/news/secadv_20100601.txt">http://www.openssl.org/news/secadv_20100601.txt</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
OpenSSL OpenSSL | =1.0.0 | |
OpenSSL OpenSSL | =1.0.0-beta1 | |
OpenSSL OpenSSL | =1.0.0-beta2 | |
OpenSSL OpenSSL | =1.0.0-beta3 | |
OpenSSL OpenSSL | =1.0.0-beta4 | |
OpenSSL OpenSSL | =1.0.0-beta5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.