Bugtraq mailing list archives

Re: New OpenSSL releases fix denial of service attacks [17 March 2004]

From: Marc Bejarano <bugtraq () beej org>
Date: Wed, 17 Mar 2004 11:23:57 -0400

At 09:12 3/17/2004, Mark J Cox wrote:
>OpenSSL Security Advisory [17 March 2004]
>
>Updated versions of OpenSSL are now available which correct two
>security issues:

>1. Null-pointer assignment during SSL handshake

>The Common Vulnerabilities and Exposures project (cve.mitre.org) has
>assigned the name CAN-2004-0079 to this issue.

>2. Out-of-bounds read affects Kerberos ciphersuites

>The Common Vulnerabilities and Exposures project (cve.mitre.org) has
>assigned the name CAN-2004-0112 to this issue.

according to NISCC Vulnerability Advisory 224012 (http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also athird potential DoS that was found with this testing sweep: CVECAN-2004-0081. quoting from the NISCC advisory:

==
NISCC/224012/3 [OpenSSL 0.9.6]
CAN-2004-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081

Testing performed by the OpenSSL group using the Codenomicon TLS Test Tooluncovered a bug in older versions of OpenSSL 0.9.6 that can lead to aDenial of Service attack (infinite loop). This issue was traced to a fixthat was added to OpenSSL 0.9.6d some time ago. This issue will affectvendors that ship older versions of OpenSSL with backported security patches.

==

marc

Current thread:

New OpenSSL releases fix denial of service attacks [17 March 2004] Mark J Cox (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Marc Bejarano (Mar 17)
  - Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mark J Cox (Mar 17)
    - Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Marc Bejarano (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Dave Markham (Mar 17)