CLD-8 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-3735 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) openssl
Deficiency Type SECURITY
Date Created 2017-09-05 10:14:57
Date Last Modified 2017-11-02 21:50:59

Version Specific Information:

Cucumber 1.0 i686fixed in openssl-1.0.2m-i686-1
Cucumber 1.0 x86_64fixed in openssl-1.0.2m-x86_64-1 and openssl-lib_i686-1.0.2m-lib_i686-1

Cucumber 1.1 i686 fixed in openssl-1.0.2m-i686-1
Cucumber 1.1 x86_64 fixed in openssl-1.0.2m-x86_64-1 and openssl-lib_i686-1.0.2m-lib_i686-1

Details:

While parsing an IPAdressFamily extension in an X.509 certificate, it is
possible to do a one-byte overread. This would result in an incorrect text
display of the certificate. This bug has been present since 2006 and is present
in all versions of OpenSSL since then
(https://nvd.nist.gov/vuln/detail/CVE-2017-3735).

Note that the OpenSSL developers consider this a "low severity fix" and are
therefore not pushing out the patch until the next release of OpenSSL :/
(https://www.openssl.org/news/secadv/20170828.txt).

Maybe it's time we considered switching to LibreSSL.