lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 28 Sep 2006 21:58:58 +0300
From: Georgi Guninski <guninski@...inski.com>
To: Marcus Meissner <meissner@...e.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: SUSE Security Announcement: openssl security
	problems (SUSE-SA:2006:058)

so you are giving credit to some pseudo 0days (corporate promotion), but you
are not giving credit to some pseudo 0days - see quoted text.

is this on purpose?


On Thu, Sep 28, 2006 at 06:48:19PM +0200, Marcus Meissner wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> 1) Problem Description and Brief Discussion
> 
>    Several security problems were found and fixed in the OpenSSL
>    cryptographic library.
> 
>    CVE-2006-3738/VU#547300:
>    A Google security audit found a buffer overflow condition within the
>    SSL_get_shared_ciphers() function which has been fixed.
> 
>    CVE-2006-4343/VU#386964:
>    The above Google security audit also found that the OpenSSL SSLv2
>    client code fails to properly check for NULL which could lead to a
>    server program using openssl to crash.
> 
>    CVE-2006-2937:
>    Fix mishandling of an error condition in parsing of certain invalid
>    ASN1 structures, which could result in an infinite loop which consumes
>    system memory.
> 
>    CVE-2006-2940:
>    Certain types of public key can take disproportionate amounts of time
>    to process. This could be used by an attacker in a denial of service
>    attack to cause the remote side top spend an excessive amount of time
>    in computation.
> 
> 2) Solution or Work-Around
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ