Date: Tue, 14 Jul 2015 17:08:08 +0200 From: Markus Vervier <markus.vervier@...xperts.de> To: oss-security@...ts.openwall.com Subject: CVE Request: AWS s2n Hi, I would like to request a CVE for s2n. When a server is sending invalid DH values during a handshake a BIGNUM value is not properly initialized. This causes a null pointer dereference in a s2n based client leading to a crash or possible worse on old systems (e.g. on Debian kernels lower than 2.6.26). Technical details and a patch are available here: https://github.com/awslabs/s2n/pull/124 The fix was merged and is in commit 9af6ba1815dfd5c00361cc3bd45cee1d64e0c3bf. Markus -- Markus Vervier (IT Security Consultant and Software Developer), http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel.: +49 (0) 6151 86086-261, Fax: -299, Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschäftsführer: Oliver Michel, Sven Walther [ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ