SecurityFocus

New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 01:12PM
Mark J Cox (mark awe com) (2 replies)

Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 03:23PM
Marc Bejarano (bugtraq beej org) (1 replies)

At 09:12 3/17/2004, Mark J Cox wrote:
>OpenSSL Security Advisory [17 March 2004]
>
>Updated versions of OpenSSL are now available which correct two
>security issues:

>1. Null-pointer assignment during SSL handshake

>The Common Vulnerabilities and Exposures project (cve.mitre.org) has
>assigned the name CAN-2004-0079 to this issue.

>2. Out-of-bounds read affects Kerberos ciphersuites

>The Common Vulnerabilities and Exposures project (cve.mitre.org) has
>assigned the name CAN-2004-0112 to this issue.

according to NISCC Vulnerability Advisory 224012 (
http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a
third potential DoS that was found with this testing sweep: CVE
CAN-2004-0081. quoting from the NISCC advisory:
==
NISCC/224012/3 [OpenSSL 0.9.6]
CAN-2004-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a
Denial of Service attack (infinite loop). This issue was traced to a fix
that was added to OpenSSL 0.9.6d some time ago. This issue will affect
vendors that ship older versions of OpenSSL with backported security patches.
==

marc

[ reply ]

Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 03:30PM
Mark J Cox (mark awe com) (1 replies)

Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 05:52PM
Marc Bejarano (bugtraq beej org)

Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 03:21PM
Dave Markham (dave markham fjserv net)