Bugtraq mailing list archives
Re: New OpenSSL releases fix denial of service attacks [17 March 2004]
From: Marc Bejarano <bugtraq () beej org>
Date: Wed, 17 Mar 2004 13:52:07 -0400
At 11:30 3/17/2004, Mark J Cox wrote: >> according to NISCC Vulnerability Advisory 224012 ( >> http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a >> third potential DoS that was found with this testing sweep: CVE >> CAN-2004-0081. quoting from the NISCC advisory: > >Absolutely, but that was fixed back in 0.9.6d a long time ago.there appears to be a new CVE number corresponding to this issue. that either means that 1) the issue is really new to CVE and most people weren't aware of it and should be made so, regardless of whether a fix was slipped in long ago or 2) the CVE number is a dupe and should be marked as such.
do you know which case we have?if the former, the OpenSSL folks have a duty to advise their users of the newly discovered vulnerability. as the NISCC advisory states the issue would "affect vendors that ship older versions of OpenSSL with backported security patches". if the latter, then the NISCC folks need to clear things up in their advisory.
cheers, marc
Current thread:
- New OpenSSL releases fix denial of service attacks [17 March 2004] Mark J Cox (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Marc Bejarano (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mark J Cox (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Marc Bejarano (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Mark J Cox (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Dave Markham (Mar 17)
- Re: New OpenSSL releases fix denial of service attacks [17 March 2004] Marc Bejarano (Mar 17)