Two vulnerabilities might allow for a Denial of Service of daemons
using OpenSSL.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Ossi Herrala and Jukka Taimisto of Codenomicon discovered two
vulnerabilities:
* A double free() call in the TLS server name extension
(CVE-2008-0891).
* The OpenSSL client code does not properly handle servers that omit
the Server Key Exchange message in the TLS handshake (CVE-2008-1672).
Impact
======
A remote attacker could connect to a vulnerable server, or entice a
daemon to connect to a malicious server, causing a Denial of Service of
the daemon in both cases.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All OpenSSL users should upgrade to the latest version:
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
Gentoo Linux Security Advisory GLSA 200806-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: OpenSSL: Denial of Service
Date: June 23, 2008
Bugs: #223429
ID: 200806-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Two vulnerabilities might allow for a Denial of Service of daemons
using OpenSSL.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 0.9.8g-r2 >= 0.9.8g-r2
< 0.9.8f
Description
===========
Ossi Herrala and Jukka Taimisto of Codenomicon discovered two
vulnerabilities:
* A double free() call in the TLS server name extension
(CVE-2008-0891).
* The OpenSSL client code does not properly handle servers that omit
the Server Key Exchange message in the TLS handshake (CVE-2008-1672).
Impact
======
A remote attacker could connect to a vulnerable server, or entice a
daemon to connect to a malicious server, causing a Denial of Service of
the daemon in both cases.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All OpenSSL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8g-r2"
References
==========
[ 1 ] CVE-2008-0891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891
[ 2 ] CVE-2008-1672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200806-08.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJIYChPAAoJECaaHo/OfoM5+iQP/i/+fXfJ8AQc8hUikHLSN0j3
3ifriNGMlqlHdeJ2Nb3qURIDh+RFdEIQ20L1zfGdRdpWueJn+ws+fzNTbrM8hirg
SAigBLI4OuEodYsgVq6zvD+G+uIyJSPEutG4xEIs5B5SZqquppiWmHU5LIr7UyZy
80KQQgEEv3UwiXQLkW5W3Zr0F3HGGjrbwmH1wSqr4hsY103O4ibQsqa0mvqewRt0
a13d+SZcSgjwewQz68LRGCrItVIyq6vFBk8sKJApY1WivarKGBQ7SuSD4IO4c1R3
9R+7P5MlGUcf8MlFQrj0aZrAAqnV93t9NOCGAhnJEK8x/FQktuZFymxYNLzTjVO0
6JRvbjB8lR+XlWTDBpzgrEMkKHFMojO9LiDg//dsRoT2MVlRaXiCVQsnokv/f9Cm
2YCOGOf2k28iwiJD/cMDBAr/Teqrr8LpYafqowiEwBJRyKsgFFo5pdviUXA3DLop
c/9YWGEwPDlYrNtBpTFPVXC1qcuOroBNWzGuaINIFfgc10s2O1Z02gh2nyssPSNs
6811UfXOMgIR9ObRQT2oJDIOiUpT0p48/3CZ8PnNPgwR3kD+LOQtlbBWJqKe+S4o
ereU89FxzKwUlpIKcSofmQfq4P3ZrYJb0nHAzniUmfsxSAvhLlIBJgd01atyroc0
30xn8sTSq8/sCnyINxz0
=8vj5
-----END PGP SIGNATURE-----
[ reply ]