Bump gitian OpenSSL dependency *again* #4135

issue laanwj opened this issue on May 6, 2014
  1. laanwj commented at 10:33 AM on May 6, 2014: member

    Looks like there has been another problem found in OpenSSL, CVE-2010-5298, a use-after-free which can be used for DoS.

    Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.

    https://access.redhat.com/security/cve/CVE-2010-5298

    Pretty pointless in the case of bitcoind, as only hosts already in rpcallow could do the attack if you have rpcssl enabled. The GUI could maybe be made to crash by making it access a hostile server.

    In any case, for next release we may as well upgrade it...

  2. laanwj added this to the milestone 0.9.2 on May 6, 2014
  3. laanwj commented at 11:43 AM on May 6, 2014: member

    May be a non-issue.

    https://bugzilla.redhat.com/show_bug.cgi?id=1087195#c1

    "The bug only affects connections with the SSL_MODE_RELEASE_BUFFERS option set. This isn’t a compile option; it’s a runtime option set by the application."

    We don't set that option neither does Qt.

  4. laanwj added the label Build system on May 9, 2014
  5. laanwj commented at 9:43 AM on May 9, 2014: member

    This doesn't affect us, also no new version of OpenSSL has been released yet, so closing.

  6. laanwj closed this on May 9, 2014
  7. MarcoFalke locked this on Sep 8, 2021
Contributors
laanwj
Labels
Build system
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me