Bugzilla – Bug 922498
VUL-1: CVE-2015-0208: openssl: [1.0.2 only] Segmentation fault for invalid PSS parameters
Last modified: 2015-03-19 14:11:33 UTC
We don't ship openssl 1.0.2.
bugbot adjusting priority
http://openssl.org/news/secadv_20150319.txt Segmentation fault for invalid PSS parameters (CVE-2015-0208) ============================================================= Severity: Moderate The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parameters. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue affects OpenSSL version: 1.0.2 OpenSSL 1.0.2 users should upgrade to 1.0.2a This issue was was reported to OpenSSL on 31st January 2015 by Brian Carpenter and a fix developed by Stephen Henson of the OpenSSL development team.
only affected 1.0.2. which we do not ship yet