OpenSSL heads-up
Jacques A. Vidrine
nectar at FreeBSD.org
Tue Sep 30 14:50:02 PDT 2003
On Tue, Sep 30, 2003 at 02:43:37PM -0700, Dragos Ruiu wrote:
> On September 30, 2003 01:31 pm, Jacques A. Vidrine wrote:
> > Don't panic. The vulnerability is denial-of-service.
>
> On September 30, 2003 07:52 am, Chris Wysopal wrote on Vulnwatch:
> > Three specific vulnerabilities have been discovered in the OpenSSL
> > libraries. Two of these could allow a Denial of Service attack, the third
> > may result in an attacker being able to execute malicious code under
> > certain conditions.
>
> Please clarify. Conflicting information.
<URL: http://www.openssl.org/news/secadv_20030930.txt >
1. Certain ASN.1 encodings that are rejected as invalid by the
parser can trigger a bug in the deallocation of the corresponding
data structure, corrupting the stack. This can be used as a denial
of service attack. It is currently unknown whether this can be
exploited to run malicious code. This issue does not affect OpenSSL
0.9.6.
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
More information about the freebsd-security
mailing list