ArchLinux: 201609-28: lib32-openssl: denial of service
Summary
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and Thomas Jakobi.
Resolution
Upgrade to 1:1.0.2.j-1.
# pacman -Syu "lib32-openssl>=1:1.0.2.j-1"
The problem has been fixed upstream in version 1.0.2.j.
References
https://openssl-library.org/news/secadv/20160926.txt https://access.redhat.com/security/cve/CVE-2016-7052
Workaround
None.