| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Mar 2004 11:23:57 -0400 From: Marc Bejarano <bugtraq@...j.org> To: Mark J Cox <mark@....com> Cc: <bugtraq@...urityfocus.com> Subject: Re: New OpenSSL releases fix denial of service attacks [17 March 2004] At 09:12 3/17/2004, Mark J Cox wrote: >OpenSSL Security Advisory [17 March 2004] > >Updated versions of OpenSSL are now available which correct two >security issues: >1. Null-pointer assignment during SSL handshake >The Common Vulnerabilities and Exposures project (cve.mitre.org) has >assigned the name CAN-2004-0079 to this issue. >2. Out-of-bounds read affects Kerberos ciphersuites >The Common Vulnerabilities and Exposures project (cve.mitre.org) has >assigned the name CAN-2004-0112 to this issue. according to NISCC Vulnerability Advisory 224012 ( http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a third potential DoS that was found with this testing sweep: CVE CAN-2004-0081. quoting from the NISCC advisory: == NISCC/224012/3 [OpenSSL 0.9.6] CAN-2004-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081 Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a Denial of Service attack (infinite loop). This issue was traced to a fix that was added to OpenSSL 0.9.6d some time ago. This issue will affect vendors that ship older versions of OpenSSL with backported security patches. == marc
Powered by blists - more mailing lists