Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2009-0127

Published: 15 January 2009

** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto."

Notes

AuthorNote
mdeslaur
may not be an issue, see redhat bug
debian: "m2crypto provides a direct mapping of the OpenSSL
functions, no incorrect call sites are known, if such are found
they should be fixed in the respective"
marking this as ignored

Priority

Medium

Status

Package Release Status
m2crypto
Launchpad, Ubuntu, Debian
dapper Ignored

gutsy Ignored
(end of life, was needed)
hardy Ignored

intrepid Ignored

jaunty Ignored

karmic Ignored

upstream Ignored