Gentoo: openssl denial of service vulnerability - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Advisory Watch: February 10th, 2012

Linux Security Week: February 6th, 2012

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Gentoo: openssl denial of service vulnerability

User Rating:

How can I rate this item?

Posted by LinuxSecurity.com Team

Due to an error in the SSL/TLS protocol handling, a server will parsea client certificate when one is not specifically requested.


- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-19
- - - ---------------------------------------------------------------------

          PACKAGE : openssl
          SUMMARY : vulnerabilities in ASN.1 parsing
             DATE : 2003-10-01 14:48 UTC
          EXPLOIT : remote
     GENTOO BUG # : 30001
              CVE : CAN-2003-0545 CAN-2003-0543 CAN-2003-0544

- - - ---------------------------------------------------------------------

DESCRIPTION

quote from OpenSSL advisory:

"1. Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6.

2. Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances, resulting in a denial of service vulnerability.

3. A malformed public key in a certificate will crash the verify code if
it is set to ignore public key decoding errors. Public key decode errors
are not normally ignored, except for debugging purposes, so this is
unlikely to affect production code. Exploitation of an affected
application would result in a denial of service vulnerability.

4. Due to an error in the SSL/TLS protocol handling, a server will parse
a client certificate when one is not specifically requested. This by
itself is not strictly speaking a vulnerability but it does mean that
*all* SSL/TLS servers that use OpenSSL can be attacked using
vulnerabilities 1, 2 and 3 even if they don't enable client authentication."

read the full advisory at 
http://www.openssl.org/news/secadv_20030930.txt

SOLUTION

it is recommended that all Gentoo Linux users who are running
dev-libs/openssl upgrade to a fixed version.

make sure that the version to be installed is atleast 0.9.6k(stable)
or 0.9.7c(masked).

emerge sync
emerge openssl -p
emerge openssl
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at  http://dev.gentoo.org/~aliz
- - - ---------------------------------------------------------------------