CVE-2009-0127

Publication date 15 January 2009

Last updated 24 July 2024


Ubuntu priority

** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto."

Read the notes from the security team

Status

Package Ubuntu Release Status
m2crypto 9.10 karmic Ignored
9.04 jaunty Ignored
8.10 intrepid Ignored
8.04 LTS hardy Ignored
7.10 gutsy Ignored end of life, was needed
6.06 LTS dapper Ignored

Notes


mdeslaur

may not be an issue, see redhat bug debian: "m2crypto provides a direct mapping of the OpenSSL functions, no incorrect call sites are known, if such are found they should be fixed in the respective" marking this as ignored