Date: Tue, 28 Feb 2012 15:36:28 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Matthias Weckbecker <mweckbecker@...e.de> Subject: Re: CVE request: openssl: null pointer dereference issue On 02/27/2012 10:17 AM, Kurt Seifried wrote: > On 02/27/2012 07:42 AM, Matthias Weckbecker wrote: >> Hi Kurt, Steve, vendors, >> >> bad S/MIME messages with crafted MIME headers can result in a NULL pointer >> dereference in openssl's ans1 parser, >> >> https://bugzilla.novell.com/show_bug.cgi?id=748738 >> http://email@example.com/msg30305.html >> http://cvs.openssl.org/chngview?cn=22144 >> >> Does it qualify for a CVE? >> >> Thanks, Matthias > > Ok did some more research and here's what we got: > > First mention of this bug is in 2006: > > http://marc.info/?l=openssl-dev&m=115685408414194&w=2 > > So please use CVE-2006-7248 for this issue. Due to the Novell/kadu miss-paste this CVE needs to be re-issued. Please use CVE-2006-7250 for this OpenSSL issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ