[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

tqsllib stable update for CVE-2009-0124

the following CVE (Common Vulnerabilities & Exposures) id was
published for tqsllib some time ago.

| The tqsl_verifyDataBlock function in openssl_cert.cpp in American
| Radio Relay League (ARRL) tqsllib 2.0 does not properly check the
| return value from the OpenSSL EVP_VerifyFinal function, which allows
| remote attackers to bypass validation of the certificate chain via a
| malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable. It does
not warrant a DSA.

This is Debian bug #511509.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.

This is an automatically generated mail, in case you are already working on an
upgrade this is of course pointless.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0124
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Kind regards

Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpaCnCefld2h.pgp
Description: PGP signature

Reply to: