| Fw: OpenSSL Security Advisory | <– Date –> <– Thread –> |
From: Scott G. Kelly (s.kelly ix.netcom.com)
|
|
| Date: Fri, 12 Oct 2007 09:53:45 -0700 (PDT) | |
FYI... vulnerability in the openssl DTLS implementation - patch is available. -----Forwarded Message----- >From: Ben Laurie <ben [at] links.org> >Sent: Oct 12, 2007 4:05 AM >To: OpenSSL Announce <openssl-announce [at] openssl.org>, openssl-users ><openssl-users [at] openssl.org>, OpenSSL Dev <openssl-dev [at] openssl.org>, >Bugtraq <BUGTRAQ [at] SECURITYFOCUS.COM>, Cryptography <cryptography [at] >metzdowd.com>, full-disclosure-request [at] lists.grok.org.uk >Subject: OpenSSL Security Advisory > >OpenSSL Security Advisory [12-Oct-2007] > >OpenSSL Vulnerabilities >----------------------- > >Vulnerability A >--------------- > >Andy Polyakov discovered a flaw in OpenSSL's DTLS implementation which >could lead to the compromise of clients and servers with DTLS enabled. > >DTLS is a datagram variant of TLS specified in RFC 4347 first >supported in OpenSSL version 0.9.8. Note that the vulnerabilities do >not affect SSL and TLS so only clients and servers explicitly using >DTLS are affected. > >We believe this flaw will permit remote code execution. > >This vulnerability is tracked as CVE-2007-4995. > >Versions Affected >----------------- > >All releases of 0.9.8 prior to 0.9.8f. > >Recommendation >-------------- > >Either > >a) Upgrade to the latest version of OpenSSL (0.9.8f) and rebuild all >packages using OpenSSL for DTLS. > >or, > >b) Disable DTLS. > >Vulnerability B >--------------- > >Moritz Jodeit found an off-by-one error in SSL_get_shared_ciphers(), a >function that should normally only be used for logging or debugging. > >The impact of this overflow is unclear. > >This vulnerability is tracked as CVE-2007-5135. > >Versions Affected >----------------- > >All releases of 0.9.8 prior to 0.9.8f. All releases of 0.9.7 prior to >0.9.7m. > >(Note that versions prior to 0.9.8d and 0.9.7l actually had a worse >problem in the same function). > >Recommendation >-------------- > >a) Don't use SSL_get_shared_ciphers(). > >OR > >b) Upgrade to 0.9.8f. > >-- >http://www.apache-ssl.org/ben.html http://www.links.org/ > >"There is no limit to what a man can do or how far he can go if he >doesn't mind who gets the credit." - Robert Woodruff >--------------------------------------------------------------------- >The Cryptography Mailing List >Unsubscribe by sending "unsubscribe cryptography" to majordomo [at] >metzdowd.com
- (no other messages in thread)
Results generated by Tiger Technologies using MHonArc.