lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0403171530040.387-100000@pingu.awe.com>
Date: Wed, 17 Mar 2004 15:30:25 +0000 (GMT)
From: Mark J Cox <mark@....com>
To: Marc Bejarano <bugtraq@...j.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: New OpenSSL releases fix denial of service attacks [17  March
 2004]


> according to NISCC Vulnerability Advisory 224012 ( 
> http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a 
> third potential DoS that was found with this testing sweep: CVE 
> CAN-2004-0081.  quoting from the NISCC advisory:

Absolutely, but that was fixed back in 0.9.6d a long time ago.

> NISCC/224012/3 [OpenSSL 0.9.6]
> CAN-2004-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
> Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool 
> uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a 
> Denial of Service attack (infinite loop). This issue was traced to a fix 
> that was added to OpenSSL 0.9.6d some time ago. This issue will affect 
> vendors that ship older versions of OpenSSL with backported security patches.

Mark
--
Mark J Cox ........................................... www.awe.com/mark
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ