BugTraq
New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 01:12PM
Mark J Cox (mark awe com) (2 replies)
Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 03:23PM
Marc Bejarano (bugtraq beej org) (1 replies)
Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 03:30PM
Mark J Cox (mark awe com) (1 replies)
Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 05:52PM
Marc Bejarano (bugtraq beej org)
At 11:30 3/17/2004, Mark J Cox wrote:
>> according to NISCC Vulnerability Advisory 224012 (
>> http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a
>> third potential DoS that was found with this testing sweep: CVE
>> CAN-2004-0081. quoting from the NISCC advisory:
>
>Absolutely, but that was fixed back in 0.9.6d a long time ago.

there appears to be a new CVE number corresponding to this issue. that
either means that 1) the issue is really new to CVE and most people weren't
aware of it and should be made so, regardless of whether a fix was slipped
in long ago or 2) the CVE number is a dupe and should be marked as such.

do you know which case we have?

if the former, the OpenSSL folks have a duty to advise their users of the
newly discovered vulnerability. as the NISCC advisory states the issue
would "affect vendors that ship older versions of OpenSSL with backported
security patches". if the latter, then the NISCC folks need to clear
things up in their advisory.

cheers,
marc

[ reply ]
Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mar 17 2004 03:21PM
Dave Markham (dave markham fjserv net)


 

Privacy Statement
Copyright 2010, SecurityFocus