aru Posted October 1, 2003 Report Share Posted October 1, 2003 MandrakeSoft Security Advisory MDKSA-2003:098 : openssl September 30th, 2003 Updated openssl packages fix vulnerabilities Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which could be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. Depending upon the application targetted, the effects seen will vary; in some cases a DoS (Denial of Service) could be performed, in others nothing noticeable or adverse may happen. These two vulnerabilities have been assigned CAN-2003-0543 and CAN-2003-0544. Additionally, NISCC discovered a third bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in deallocation of a structure, leading to a double free. This can be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. This vulnerability may be exploitable to execute arbitrary code. This vulnerability has been assigned CAN-2003-0545. The packages provided have been built with patches provided by the OpenSSL group that resolve these issues. A number of server applications such as OpenSSH and Apache that make use of OpenSSL need to be restarted after the update has been applied to ensure that they are protected from these issues. Users are encouraged to restart all of these services or reboot their systems. The released versions of Mandrake GNU/Linux affected are: 8.2 [*] 9.0 [*] 9.1 [*] Multi Network Firewall 8.2 [*] Corporate Server 2.1 Full information about this advisory, including the updated packages, is available at: www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:098 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0544 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0545 http://www.kb.cert.org/vuls/id/255484 http://www.kb.cert.org/vuls/id/380864 http://www.kb.cert.org/vuls/id/935264 http://www.openssl.org/news/secadv_20030930.txt http://www.uniras.gov.uk/vuls/2003/006489/tls.htm http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm Posted automatically by aru (mdksec2mub v0.0.6) Link to comment Share on other sites More sharing options...
Recommended Posts