Note: By now the libgcrypt tests will be build again while cross-compiling
but we have to explicitely disable MPI assembler modules, which leads
to unresolved symbols otherwise. In general this shouldn't cause any
troubles as it seems that assembler modules aren't even used while
compiling natively. At least I couldn't find any related symbols in
any natively compiled libgcrypt binaries I have access to currently.
Note: We have to assure that the right libgcrpyt is used while cross-compiling
by passing '--with-libgcrypt-prefix' confopt as well as disabling the
built-in tests.
CVE-2008-1678 (Medium) :
Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f
through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via
multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server
mod_ssl that specify a compression algorithm.
CVE-2008-1657 (Medium ) :
OpenSSH before 4.9 allows remote authenticated users to bypass the sshd_config
ForceCommand directive by modifying the .ssh/rc session file.
CVE-2008-1530 (High) :
GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via crafted duplicate keys that are imported from key servers,
which triggers "memory corruption around deduplication of user IDs."
CVE-2008-1530 (High) :
GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via crafted duplicate keys that are imported from key servers,
which triggers "memory corruption around deduplication of user IDs."
Aldas Nabazas
Alejandro Mery
Christian Wiese