| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Mar 2016 21:07:39 +0100 From: Cisco Systems Product Security Incident Response Team <psirt@...co.com> To: bugtraq@...urityfocus.com Cc: psirt@...co.com Subject: Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016 Advisory ID: cisco-sa-20160302-openssl Version 1.0: Interim For Public Release: 2016 March 2 19:30 UTC (GMT) +--------------------------------------------------------------------- Summary ======= On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. A total of eight Common Vulnerabilities and Exposures (CVEs) were assigned. Of the eight CVEs, three relate to the DROWN attack. The remaining CVEs track low severity vulnerabilities. DROWN is a cross-protocol attack that actively exploits weaknesses in SSL version 2 (SSLv2) to decrypt passively collected Transport Layer Security (TLS) sessions. DROWN does not exploit a vulnerability in the TLS protocol or any specific implementation of the protocol. To execute a successful DROWN attack, the attacker must identify a server that supports both SSLv2 and TLS, and uses the same RSA key pair for both protocols. The attacker must also be able to collect TLS traffic for the server. This advisory will be updated as additional information becomes available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBAgAGBQJW10S9AAoJEK89gD3EAJB5NdkQAMtgK0CXafb5RAErJk8tL7gh ssAHSfxqIaa5/LtPKgUZokFGT+lr/QDsjy7dWzYXPOux/sPENgIQZlqwMfUEEw3w BHIx1H1KhJ4BFKAZTOMUjUmSQJv8rPfllekb87e4sK5+wk9JHO2azJoJ/YQlryBc b+DdHaltS+bptQ9uai63IVWz8ATDMtdCC7ZeA5lKcx184kVsbScawP46KQCHJwij IJZ0oCM9B6nagDMH75a53u7YIWz7ugs1CQgUSOoUOwdmgzNWEdohJ4uQL5epwHmY BDf1pZUMjemZyiP62aXQZnta6vCF0VLC2lrrWx2bfFOHfLQ5cv5ZcAS2CruzN0Y3 ox88g8xQSJkUYggqtzWsD7zuJYN30D59dsfWBxbAjEpK/bjcQnHX9+3oeRuyljBi L//EVLliYDTCnr/9+u2zCg42H5gsodEGscQZAoHLXvhDTV48/CaimpcISRyudTt8 8bIwgCvB35MbEcH2IIpzbIRjvmIt98CbxQGD5e1FGkBm1lmKqAoP77+h22IdAKh4 8YxN/W7qe0P1mVSfJVu5HYu44ZKKwhxd5ExT7NGCugJdEEB5DobXrsyu0jxR6gdq VCR+Tw2Xbk+Xuf+lL3cfUaMz+V2Bvqb1zVJpTp3i6ix3qy/Hwssp/bJctM4Cetka QNJPOHwNdCLuGkSqItKJ =cvrZ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists