[gentoo-announce] [ GLSA 201604-04 ] libksba: Multiple vulnerabilities

Fabricante: Gentoo
Fecha: 26/04/2016
Identificador: GLSA 201604-04
[gentoo-announce] [ GLSA 201604-04 ] libksba: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201604-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libksba: Multiple vulnerabilities Date: April 26, 2016 Bugs: #546464 ID: 201604-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in libksba, allowing a possible Denial of Service and unspecified other vectors through integer overflows. Background ========== Libksba is a X.509 and CMS (PKCS#7) library. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libksba < 1.3.3 >= 1.3.3 Description =========== libksba is vulnerable to two integer overflows and a Denial of Service vulnerability. Please read the references for additional details. Impact ====== Remote attackers could cause Denial of Service or unspecified other vectors through various integer overflows. Workaround ========== There is no known workaround at this time. Resolution ========== All libksba users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libksba-1.3.3" References ========== [ 1 ] Denial of Service due to stack overflow in src/ber-decoder.c http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a [ 2 ] Integer overflow in the BER decoder src/ber-decoder.c http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887 [ 3 ] Integer overflow in the DN decoder src/dn.c http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201604-04 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5