Pardus: 2010-46: [UPDATE] OpenSSL: Denial of Service
Posted by Benjamin D. Thomas   
A vulnerability has been fixed in OpenSSL, which can be exploited by malicious people to manipulate certain data and cause a DoS (Denial of Service) UPDATE: The same problem has been addressed in Pardus 2008
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-46            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-04-09
  Severity: 3
      Type: Local
------------------------------------------------------------------------

Summary
======
A vulnerability has been fixed in OpenSSL, which can  be  exploited  by
malicious people to manipulate certain data and cause a DoS (Denial  of
Service) UPDATE: The same problem has been addressed in Pardus 2008


Description
==========
CVE-2010-0740:

The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL  allows  remote
attackers to cause a denial of service (crash) via a malformed record in
a TLS connection that triggers a NULL pointer dereference,  related  to
the minor version number.


Affected packages:

  Pardus 2009:
    openssl, all before 0.9.8k-27-10
  Pardus 2008:
    openssl, all before 0.9.8k-26-13


Resolution
=========
There are update(s) for openssl. You can update them via Package Manager
or with a single command from console:

  Pardus 2008:
    pisi up openssl

  Pardus 2009:
    pisi up openssl


References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id513
  * http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740
  * http://www.openssl.org/news/secadv_20100324.txt

------------------------------------------------------------------------