|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0081: openssl: remote denial-of-service in older versions | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
| Component: | Incidents | Assignee: | Thomas Biege <thomas> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0081: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
sec-int discussion
patchinfo-box.openssl patchinfo.openssl proposed patch patchinfo for Box, with distribution list corrected patchinfo for sles, with distribution list corrected |
||
|
Description
Thomas Biege
2004-03-22 17:14:53 UTC
<!-- SBZ_reproduce --> - Created attachment 16952 [details]
sec-int discussion
Date: Wed, 17 Mar 2004 15:30:25 +0000 (GMT) From: Mark J Cox <mark@awe.com> To: Marc Bejarano <bugtraq@beej.org> Cc: bugtraq@securityfocus.com Subject: Re: New OpenSSL releases fix denial of service attacks [17 March 2004] > according to NISCC Vulnerability Advisory 224012 ( > http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a > third potential DoS that was found with this testing sweep: CVE > CAN-2004-0081. quoting from the NISCC advisory: Absolutely, but that was fixed back in 0.9.6d a long time ago. > NISCC/224012/3 [OpenSSL 0.9.6] > CAN-2004-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081 > Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool > uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a > Denial of Service attack (infinite loop). This issue was traced to a fix > that was added to OpenSSL 0.9.6d some time ago. This issue will affect > vendors that ship older versions of OpenSSL with backported security patches. Mark -- Mark J Cox ........................................... www.awe.com/mark Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor According to attachment 8952 [details], http://cvs.openssl.org/chngview?cn=5721 would be the fix, right? Created attachment 16958 [details]
patchinfo-box.openssl
Created attachment 16959 [details]
patchinfo.openssl
Affected packages (all with version < 0.9.6d) would be /work/SRC/old-versions/7.3/all/ openssl 0.9.6b /work/SRC/old-versions/7.3/arch/sles-ppc/ openssl 0.9.6b /work/SRC/old-versions/8.0/all/ openssl 0.9.6c Correction (I deleted one line too much, apparently): /work/SRC/old-versions/7.2/all/ openssl 0.9.6a /work/SRC/old-versions/7.3/all/ openssl 0.9.6b /work/SRC/old-versions/7.3/arch/sles-ppc/ openssl 0.9.6b /work/SRC/old-versions/8.0/all/ openssl 0.9.6c Created attachment 17040 [details]
proposed patch
Fixed packages for sles7-* (based on 7.2), sles7-ppc (based on 7.3) and 8.0-i386 are submitted. Created attachment 17048 [details]
patchinfo for Box, with distribution list corrected
Created attachment 17049 [details]
patchinfo for sles, with distribution list corrected
(The correction is due to the fact that only openssl version < 0.9.6d is
affected)
Patchinfos are submitted. Thomas, I assign to you for further processing. Ok.. thank you! Whats about this? http://w2d.suse.de/abuildstat/patchinfo/pending/ f8a05d08ac92b37c984d3312c881018f still in QA queue packages approved CVE-2004-0081: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |