CVE-2009-3245

Published: 5 March 2010

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

Priority

Status

Package	Release	Status
openssl Launchpad, Ubuntu, Debian	upstream	Released (0.9.8m)
	dapper	Released (0.9.8a-7ubuntu0.13)
	hardy	Released (0.9.8g-4ubuntu3.11)
	intrepid	Ignored (end of life, was needed)
	jaunty	Released (0.9.8g-15ubuntu3.6)
	karmic	Released (0.9.8g-16ubuntu3.3)
	lucid	Released (0.9.8k-7ubuntu8)
	Patches: upstream: http://cvs.openssl.org/chngview?cn=18936 (0.9.8) upstream: http://cvs.openssl.org/chngview?cn=19309 (0.9.8)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
https://ubuntu.com/security/notices/USN-1003-1
NVD
Launchpad
Debian

Bugs

http://rt.openssl.org/Ticket/Display.html?id=2111&user=guest&pass=guest
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3245
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/655884

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›