[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060928185858.GA4615@sivokote.iziade.m$>
Date: Thu, 28 Sep 2006 21:58:58 +0300
From: Georgi Guninski <guninski@...inski.com>
To: Marcus Meissner <meissner@...e.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: SUSE Security Announcement: openssl security
problems (SUSE-SA:2006:058)
so you are giving credit to some pseudo 0days (corporate promotion), but you
are not giving credit to some pseudo 0days - see quoted text.
is this on purpose?
On Thu, Sep 28, 2006 at 06:48:19PM +0200, Marcus Meissner wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> 1) Problem Description and Brief Discussion
>
> Several security problems were found and fixed in the OpenSSL
> cryptographic library.
>
> CVE-2006-3738/VU#547300:
> A Google security audit found a buffer overflow condition within the
> SSL_get_shared_ciphers() function which has been fixed.
>
> CVE-2006-4343/VU#386964:
> The above Google security audit also found that the OpenSSL SSLv2
> client code fails to properly check for NULL which could lead to a
> server program using openssl to crash.
>
> CVE-2006-2937:
> Fix mishandling of an error condition in parsing of certain invalid
> ASN1 structures, which could result in an infinite loop which consumes
> system memory.
>
> CVE-2006-2940:
> Certain types of public key can take disproportionate amounts of time
> to process. This could be used by an attacker in a denial of service
> attack to cause the remote side top spend an excessive amount of time
> in computation.
>
> 2) Solution or Work-Around
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists