OpenSSL: Denial of Service
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200806-08 / openssl |
| Release Date |
June 23, 2008 |
| Latest Revision |
June 23, 2008: 01 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| dev-libs/openssl |
<
0.9.8g-r2 |
>=
0.9.8g-r2,
<
0.9.8f |
All supported architectures
|
Related bugreports:
#223429
Synopsis
Two vulnerabilities might allow for a Denial of Service of daemons using
OpenSSL.
2.
Impact Information
Background
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Description
Ossi Herrala and Jukka Taimisto of Codenomicon discovered two
vulnerabilities:
-
A double free() call in the TLS server name extension (CVE-2008-0891).
-
The OpenSSL client code does not properly handle servers that omit the
Server Key Exchange message in the TLS handshake (CVE-2008-1672).
Impact
A remote attacker could connect to a vulnerable server, or entice a
daemon to connect to a malicious server, causing a Denial of Service of
the daemon in both cases.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All OpenSSL users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8g-r2"
|
4.
References
|
