CVE-2009-0127

2009-01-1517:30:00

Debian Security Bug Tracker

security-tracker.debian.org

6.4 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

67.8%

JSON

M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.

OSVersionArchitecturePackageVersionFilename
Debian12allm2crypto<= 0.38.0-4m2crypto_0.38.0-4_all.deb
Debian11allm2crypto<= 0.37.1-2m2crypto_0.37.1-2_all.deb
Debian10allm2crypto<= 0.31.0-4+deb10u2m2crypto_0.31.0-4+deb10u2_all.deb
Debian999allm2crypto<= 0.40.1-3m2crypto_0.40.1-3_all.deb
Debian13allm2crypto<= 0.40.1-3m2crypto_0.40.1-3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	m2crypto	<= 0.38.0-4	m2crypto_0.38.0-4_all.deb
Debian	11	all	m2crypto	<= 0.37.1-2	m2crypto_0.37.1-2_all.deb
Debian	10	all	m2crypto	<= 0.31.0-4+deb10u2	m2crypto_0.31.0-4+deb10u2_all.deb
Debian	999	all	m2crypto	<= 0.40.1-3	m2crypto_0.40.1-3_all.deb
Debian	13	all	m2crypto	<= 0.40.1-3	m2crypto_0.40.1-3_all.deb