Re: OpenSSL heads-up
From: Jacques A. Vidrine (nectar_at_FreeBSD.org)
Date: 09/30/03
- Previous message: Dragos Ruiu: "Re: OpenSSL heads-up"
- In reply to: Dragos Ruiu: "Re: OpenSSL heads-up"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Sep 2003 16:49:58 -0500 To: Dragos Ruiu <dr@kyx.net>
On Tue, Sep 30, 2003 at 02:43:37PM -0700, Dragos Ruiu wrote:
> On September 30, 2003 01:31 pm, Jacques A. Vidrine wrote:
> > Don't panic. The vulnerability is denial-of-service.
>
> On September 30, 2003 07:52 am, Chris Wysopal wrote on Vulnwatch:
> > Three specific vulnerabilities have been discovered in the OpenSSL
> > libraries. Two of these could allow a Denial of Service attack, the third
> > may result in an attacker being able to execute malicious code under
> > certain conditions.
>
> Please clarify. Conflicting information.
<URL: http://www.openssl.org/news/secadv_20030930.txt >
1. Certain ASN.1 encodings that are rejected as invalid by the
parser can trigger a bug in the deallocation of the corresponding
data structure, corrupting the stack. This can be used as a denial
of service attack. It is currently unknown whether this can be
exploited to run malicious code. This issue does not affect OpenSSL
0.9.6.
Cheers,
-- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Dragos Ruiu: "Re: OpenSSL heads-up"
- In reply to: Dragos Ruiu: "Re: OpenSSL heads-up"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
