Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Gentoo: 202310-11 Urgent: OpenSSL ASN.1 Parsing Denial of Service

gentoo
Calendar Grey October 1, 2003
Dist Gentoo Esm H88
Critical vulnerabilities in OpenSSL's ASN.1 handling may lead to system crashes, necessitating urgent updates for Debian users.
Due to an error in the SSL/TLS protocol handling, a server will parsea client certificate when one is not specifically requested.

Summary


GENTOO LINUX SECURITY ANNOUNCEMENT 200309-19
     GENTOO BUG # : 30001


DESCRIPTION
quote from OpenSSL advisory:
"1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6.
2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability.
3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errorsare not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability.
4. Due to an error in the SSL/TLS protocol handling, a server will pars...

Read the Full Advisory

Resolution

References

Availability

style>.gentoo_availability{display:block;}

Concerns

Severity
important
Lowest
Low
Medium
High
Critical

PACKAGE : openssl
SUMMARY : vulnerabilities in ASN.1 parsing
DATE : 2003-10-01 14:48 UTC
EXPLOIT : remote
CVE : CAN-2003-0545 CAN-2003-0543 CAN-2003-0544

Synopsis

Background

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

Impact

Workaround

Your message here