Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 17:08:08 +0200
From: Markus Vervier <markus.vervier@...xperts.de>
To: oss-security@...ts.openwall.com
Subject: CVE Request: AWS s2n


Hi,

I would like to request a CVE for s2n.

When a server is sending invalid DH values during a handshake a BIGNUM
value is not properly initialized. This causes a null pointer
dereference in a s2n based client leading to a crash or possible worse
on old systems (e.g. on Debian kernels lower than 2.6.26).

Technical details and a patch are available here:

https://github.com/awslabs/s2n/pull/124

The fix was merged and is in commit
9af6ba1815dfd5c00361cc3bd45cee1d64e0c3bf.

Markus
-- 
Markus Vervier (IT Security Consultant and Software Developer),
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-261, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther


[ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ