GLSA-200710-06 : OpenSSL: Multiple vulnerabilities
Critical Nessus Plugin ID 26946
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200710-06 (OpenSSL: Multiple vulnerabilities)
Moritz Jodeit reported an off-by-one error in the SSL_get_shared_ciphers() function, resulting from an incomplete fix of CVE-2006-3738. A flaw has also been reported in the BN_from_montgomery() function in crypto/bn/bn_mont.c when performing Montgomery multiplication.
A remote attacker sending a specially crafted packet to an application relying on OpenSSL could possibly execute arbitrary code with the privileges of the user running the application. A local attacker could perform a side channel attack to retrieve the RSA private keys.
There is no known workaround at this time.
SolutionAll OpenSSL users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=dev-libs/openssl-0.9.8e-r3'