Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 17:08:08 +0200
From: Markus Vervier <>
Subject: CVE Request: AWS s2n


I would like to request a CVE for s2n.

When a server is sending invalid DH values during a handshake a BIGNUM
value is not properly initialized. This causes a null pointer
dereference in a s2n based client leading to a crash or possible worse
on old systems (e.g. on Debian kernels lower than 2.6.26).

Technical details and a patch are available here:

The fix was merged and is in commit

Markus Vervier (IT Security Consultant and Software Developer),
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-261, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4238 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ