Gentoo: 202310-11 Urgent: OpenSSL ASN.1 Parsing Denial of Service
gentoo
October 1, 2003
Due to an error in the SSL/TLS protocol handling, a server will parsea client certificate when one is not specifically requested.
Summary
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-19
GENTOO BUG # : 30001
DESCRIPTION
quote from OpenSSL advisory:
"1. Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6.
2. Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances, resulting in a denial of service vulnerability.
3. A malformed public key in a certificate will crash the verify code if
it is set to ignore public key decoding errors. Public key decode errorsare not normally ignored, except for debugging purposes, so this is
unlikely to affect production code. Exploitation of an affected
application would result in a denial of service vulnerability.
4. Due to an error in the SSL/TLS protocol handling, a server will pars...Read the Full Advisory
Topics Covered
Resolution
References
Availability
style>.gentoo_availability{display:block;}
Concerns
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
PACKAGE : openssl
SUMMARY : vulnerabilities in ASN.1 parsing
DATE : 2003-10-01 14:48 UTC
EXPLOIT : remote
CVE : CAN-2003-0545 CAN-2003-0543 CAN-2003-0544
Topics Covered
Background
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Affected Packages
Impact
Workaround
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!