Alerts This Week
Warning Icon 1 687
Alerts This Week
Warning Icon 1 687

Gentoo: GLSA-201612-53 Normal: CyaSSL Code Execution Threats

gentoo
Calendar Grey December 31, 2016
Dist Gentoo Esm H88
Examine various vulnerabilities in CyaSSL affecting the Gentoo platform. Prompt measures recommended to guarantee protection.
Multiple vulnerabilities have been found in CyaSSL, the worst of which may allow attackers to execute arbitrary code.

Summary

Multiple vulnerabilities have been discovered in CyaSSL. Please review the CVE identifiers referenced below for details.

Topics%20covered

Topics Covered

security advisory gentoo code execution attack risks software issues normal severity CyaSSL

Resolution

Upstream has discontinued the software in favor of wolfSSL. Therefore, the CyaSSL package has been removed from the Gentoo repository and current users are advised to unmerge the package. # emerge --unmerge "net-libs/cyassl"

References

[ 1 ] CVE-2014-2896 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2896 [ 2 ] CVE-2014-2897 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2897 [ 3 ] CVE-2014-2898 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2898 [ 4 ] CVE-2014-2899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2899 [ 5 ] CVE-2014-2900 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2900

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-53
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: CyaSSL: Multiple vulnerabilities
Date: December 31, 2016
Bugs: #507418
ID: 201612-53

Topics%20covered

Topics Covered

security advisory gentoo code execution attack risks software issues normal severity CyaSSL

Synopsis

Multiple vulnerabilities have been found in CyaSSL, the worst of which may allow attackers to execute arbitrary code.

Background

CyaSSL is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/cyassl *<= 2.9.4 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers.

Impact

===== An attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or conduct a man-in-the-middle attack.

Workaround

There is no known workaround at this time.

Related News

Your message here