svn commit: r520513 - head/security/vuxml
Bernard Spil
brnrd at FreeBSD.org
Fri Dec 20 15:04:42 UTC 2019
Author: brnrd
Date: Fri Dec 20 15:04:41 2019
New Revision: 520513
URL: https://svnweb.freebsd.org/changeset/ports/520513
Log:
security/vuxml: Document OpenSSL 1.0.2 vuln
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Dec 20 14:54:08 2019 (r520512)
+++ head/security/vuxml/vuln.xml Fri Dec 20 15:04:41 2019 (r520513)
@@ -58,6 +58,41 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="d778ddb0-2338-11ea-a1c7-b499baebfeaf">
+ <topic>OpenSSL -- Overflow vulnerability</topic>
+ <affects>
+ <package>
+ <name>openssl</name>
+ <range><lt>1.0.2u,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The OpenSSL project reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20191206.txt">
+ <p>rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) (Low)<br/>
+ There is an overflow bug in the x64_64 Montgomery squaring procedure
+ used in exponentiation with 512-bit moduli. No EC algorithms are
+ affected. Analysis suggests that attacks against 2-prime RSA1024,
+ 3-prime RSA1536, and DSA1024 as a result of this defect would be very
+ difficult to perform and are not believed likely. Attacks against
+ DH512 are considered just feasible. However, for an attack the target
+ would have to re-use the DH512 private key, which is not recommended
+ anyway. Also applications directly using the low level API BN_mod_exp
+ may be affected if they use BN_FLG_CONSTTIME.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.openssl.org/news/secadv/20191206.txt</url>
+ <cvename>CVE-2019-1551</cvename>
+ </references>
+ <dates>
+ <discovery>2019-12-06</discovery>
+ <entry>2019-12-20</entry>
+ </dates>
+ </vuln>
+
<vuln vid="70111759-1dae-11ea-966a-206a8a720317">
<topic>spamassassin -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list