Nixpkgs security tracker

Untriaged

Permalink CVE-2015-5333

created 2 months ago Activity log

Created suggestion 2 months ago

Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 …

Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (memory consumption) via a large number of ASN.1 object identifiers in X.509 certificates.

References

http://packetstormsecurity.com/files/133998/Qualys-Security-Advisory-LibreSSL-L… x_transferredx_refsource_MISC
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt x_transferredx_refsource_CONFIRM
http://www.securityfocus.com/archive/1/archive/1/536692/100/0/threaded x_transferredx_refsource_MISC
http://lists.opensuse.org/opensuse-updates/2015-10/msg00050.html x_transferredx_refsource_MISC

Affected products

LibreSSL

==before 2.3.1

Matching in nixpkgs

pkgs.netcat

Utility which reads and writes data across network connections — LibreSSL implementation

nixos-unstable 4.2.1
- nixpkgs-unstable 4.2.1
- nixos-unstable-small 4.2.1
nixos-25.11 4.2.1
- nixos-25.11-small 4.2.1
- nixpkgs-25.11-darwin 4.2.1

pkgs.libressl

Free TLS/SSL implementation

nixos-unstable 4.2.1
- nixpkgs-unstable 4.2.1
- nixos-unstable-small 4.2.1
nixos-25.11 4.2.1
- nixos-25.11-small 4.2.1
- nixpkgs-25.11-darwin 4.2.1

pkgs.libressl_3_6

Free TLS/SSL implementation

pkgs.libressl_3_7

Free TLS/SSL implementation

pkgs.libressl_3_8

Free TLS/SSL implementation

pkgs.libressl_3_9

Free TLS/SSL implementation

pkgs.libressl_4_0

Free TLS/SSL implementation

pkgs.libressl_4_1

Free TLS/SSL implementation

nixos-unstable 4.1.2
- nixpkgs-unstable 4.1.2
- nixos-unstable-small 4.1.2
nixos-25.11 4.1.2
- nixos-25.11-small 4.1.2
- nixpkgs-25.11-darwin 4.1.2

pkgs.libressl_4_2

Free TLS/SSL implementation

nixos-unstable 4.2.1
- nixpkgs-unstable 4.2.1
- nixos-unstable-small 4.2.1
nixos-25.11 4.2.1
- nixos-25.11-small 4.2.1
- nixpkgs-25.11-darwin 4.2.1

Package maintainers

@thoughtpolice Austin Seipp <aseipp@pobox.com>
@fpletz Franz Pletz <fpletz@fnordicwalking.de>

Untriaged

Permalink CVE-2015-5334

created 2 months ago Activity log

Created suggestion 2 months ago

Off-by-one error in the OBJ_obj2txt function in LibreSSL before 2.3.1 …

Off-by-one error in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (program crash) or possible execute arbitrary code via a crafted X.509 certificate, which triggers a stack-based buffer overflow. Note: this vulnerability exists because of an incorrect fix for CVE-2014-3508.