Bugtraq mailing list archives
Re: New OpenSSL releases fix denial of service attacks [17 March 2004]
From: Mark J Cox <mark () awe com>
Date: Wed, 17 Mar 2004 15:30:25 +0000 (GMT)
according to NISCC Vulnerability Advisory 224012 ( http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a third potential DoS that was found with this testing sweep: CVE CAN-2004-0081. quoting from the NISCC advisory:
Absolutely, but that was fixed back in 0.9.6d a long time ago.
NISCC/224012/3 [OpenSSL 0.9.6] CAN-2004-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081 Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a Denial of Service attack (infinite loop). This issue was traced to a fix that was added to OpenSSL 0.9.6d some time ago. This issue will affect vendors that ship older versions of OpenSSL with backported security patches.
Mark -- Mark J Cox ........................................... www.awe.com/mark Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor
Current thread:
- New OpenSSL releases fix denial of service attacks [17 March 2004] Mark J Cox (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Marc Bejarano (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mark J Cox (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Marc Bejarano (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mark J Cox (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Dave Markham (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Marc Bejarano (Mar 17)