lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6.0.3.0.2.20040317134433.031f9ec0@127.0.0.1>
Date: Wed, 17 Mar 2004 13:52:07 -0400
From: Marc Bejarano <bugtraq@...j.org>
To: Mark J Cox <mark@....com>
Cc: bugtraq@...urityfocus.com
Subject: Re: New OpenSSL releases fix denial of service attacks [17 
  March 2004]


At 11:30 3/17/2004, Mark J Cox wrote:
 >> according to NISCC Vulnerability Advisory 224012 (
 >> http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a
 >> third potential DoS that was found with this testing sweep: CVE
 >> CAN-2004-0081.  quoting from the NISCC advisory:
 >
 >Absolutely, but that was fixed back in 0.9.6d a long time ago.

there appears to be a new CVE number corresponding to this issue.  that 
either means that 1) the issue is really new to CVE and most people weren't 
aware of it and should be made so, regardless of whether a fix was slipped 
in long ago or 2) the CVE number is a dupe and should be marked as such.

do you know which case we have?

if the former, the OpenSSL folks have a duty to advise their users of the 
newly discovered vulnerability.  as the NISCC advisory states the issue 
would "affect vendors that ship older versions of OpenSSL with backported 
security patches".  if the latter, then the NISCC folks need to clear 
things up in their advisory.

cheers,
marc



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ