Bug 51657 (CVE-2004-0081) - VUL-0: CVE-2004-0081: openssl: remote denial-of-service in older versions
Summary: VUL-0: CVE-2004-0081: openssl: remote denial-of-service in older versions
Status: RESOLVED FIXED
Alias: CVE-2004-0081
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Thomas Biege
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-0081: CVSS v2 Base Score: 5....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-22 17:14 UTC by Thomas Biege
Modified: 2021-09-26 10:39 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
sec-int discussion (7.12 KB, text/plain)
2004-03-22 17:15 UTC, Thomas Biege 		Details
patchinfo-box.openssl (414 bytes, text/plain)
2004-03-22 18:28 UTC, Thomas Biege 		Details
patchinfo.openssl (448 bytes, text/plain)
2004-03-22 18:54 UTC, Thomas Biege 		Details
proposed patch (401 bytes, patch)
2004-03-23 20:43 UTC, Peter Poeml 		Details | Diff
patchinfo for Box, with distribution list corrected (375 bytes, text/plain)
2004-03-23 21:17 UTC, Peter Poeml 		Details
patchinfo for sles, with distribution list corrected (371 bytes, text/plain)
2004-03-23 21:20 UTC, Peter Poeml 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-03-22 17:14:53 UTC 
Hi Peter, 
unfortunately we are missing on fix for a remote DoS attack. 
 
http://www.kb.cert.org/vuls/id/465542
Comment 1 Thomas Biege 2004-03-22 17:14:53 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-03-22 17:15:54 UTC 
Created attachment 16952 [details]
sec-int discussion
Comment 3 Thomas Biege 2004-03-22 18:01:20 UTC 
Date: Wed, 17 Mar 2004 15:30:25 +0000 (GMT) 
From: Mark J Cox <mark@awe.com> 
To: Marc Bejarano <bugtraq@beej.org> 
Cc: bugtraq@securityfocus.com 
Subject: Re: New OpenSSL releases fix denial of service attacks [17  March 
2004] 
 
> according to NISCC Vulnerability Advisory 224012 ( 
> http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a 
> third potential DoS that was found with this testing sweep: CVE 
> CAN-2004-0081.  quoting from the NISCC advisory: 
 
Absolutely, but that was fixed back in 0.9.6d a long time ago. 
 
> NISCC/224012/3 [OpenSSL 0.9.6] 
> CAN-2004-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081 
> Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool 
> uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a 
> Denial of Service attack (infinite loop). This issue was traced to a fix 
> that was added to OpenSSL 0.9.6d some time ago. This issue will affect 
> vendors that ship older versions of OpenSSL with backported security 
patches. 
 
Mark 
-- 
Mark J Cox ........................................... www.awe.com/mark 
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor
Comment 4 Peter Poeml 2004-03-22 18:11:18 UTC 
According to attachment 8952 [details], http://cvs.openssl.org/chngview?cn=5721
would be the fix, right?
Comment 5 Thomas Biege 2004-03-22 18:28:31 UTC 
Created attachment 16958 [details]
patchinfo-box.openssl
Comment 6 Thomas Biege 2004-03-22 18:54:48 UTC 
Created attachment 16959 [details]
patchinfo.openssl
Comment 7 Peter Poeml 2004-03-23 19:38:36 UTC 
Affected packages (all with version < 0.9.6d) would be 
/work/SRC/old-versions/7.3/all/                    openssl 0.9.6b
/work/SRC/old-versions/7.3/arch/sles-ppc/          openssl 0.9.6b
/work/SRC/old-versions/8.0/all/                    openssl 0.9.6c
Comment 8 Peter Poeml 2004-03-23 20:36:00 UTC 
Correction (I deleted one line too much, apparently):

/work/SRC/old-versions/7.2/all/                    openssl 0.9.6a
/work/SRC/old-versions/7.3/all/                    openssl 0.9.6b
/work/SRC/old-versions/7.3/arch/sles-ppc/          openssl 0.9.6b
/work/SRC/old-versions/8.0/all/                    openssl 0.9.6c
Comment 9 Peter Poeml 2004-03-23 20:43:11 UTC 
Created attachment 17040 [details]
proposed patch
Comment 10 Peter Poeml 2004-03-23 21:15:35 UTC 
Fixed packages for 
	sles7-* (based on 7.2), 
	sles7-ppc (based on 7.3) and
	8.0-i386 
are submitted.
Comment 11 Peter Poeml 2004-03-23 21:17:35 UTC 
Created attachment 17048 [details]
patchinfo for Box, with distribution list corrected
Comment 12 Peter Poeml 2004-03-23 21:20:59 UTC 
Created attachment 17049 [details]
patchinfo for sles, with distribution list corrected

(The correction is due to the fact that only openssl version < 0.9.6d is
affected)
Comment 13 Peter Poeml 2004-03-23 21:33:41 UTC 
Patchinfos are submitted.
Comment 14 Peter Poeml 2004-03-23 21:34:15 UTC 
Thomas, I assign to you for further processing.
Comment 15 Thomas Biege 2004-03-23 22:07:29 UTC 
Ok.. thank you!
Comment 16 Sebastian Krahmer 2004-04-16 17:52:50 UTC 
Whats about this?
Comment 17 Thomas Biege 2004-04-16 18:03:35 UTC 
http://w2d.suse.de/abuildstat/patchinfo/pending/
f8a05d08ac92b37c984d3312c881018f 
 
still in QA queue
Comment 18 Thomas Biege 2004-04-27 16:13:42 UTC 
packages approved
Comment 19 Thomas Biege 2009-10-13 20:18:07 UTC 
CVE-2004-0081: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)