Date: Tue, 30 Sep 2003 16:49:58 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Dragos Ruiu <dr@kyx.net> Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSL heads-up Message-ID: <20030930214958.GA2762@madman.celabo.org> In-Reply-To: <200309301443.37090.dr@kyx.net> References: <20030930203150.GC1996@madman.celabo.org> <200309301443.37090.dr@kyx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 30, 2003 at 02:43:37PM -0700, Dragos Ruiu wrote: > On September 30, 2003 01:31 pm, Jacques A. Vidrine wrote: > > Don't panic. The vulnerability is denial-of-service. > > On September 30, 2003 07:52 am, Chris Wysopal wrote on Vulnwatch: > > Three specific vulnerabilities have been discovered in the OpenSSL > > libraries. Two of these could allow a Denial of Service attack, the third > > may result in an attacker being able to execute malicious code under > > certain conditions. > > Please clarify. Conflicting information. <URL: http://www.openssl.org/news/secadv_20030930.txt > 1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030930214958.GA2762>