Full Disclosure mailing list archives
Re: SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058)
From: Georgi Guninski <guninski () guninski com>
Date: Thu, 28 Sep 2006 21:58:58 +0300
so you are giving credit to some pseudo 0days (corporate promotion), but you are not giving credit to some pseudo 0days - see quoted text. is this on purpose? On Thu, Sep 28, 2006 at 06:48:19PM +0200, Marcus Meissner wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1) Problem Description and Brief Discussion Several security problems were found and fixed in the OpenSSL cryptographic library. CVE-2006-3738/VU#547300: A Google security audit found a buffer overflow condition within the SSL_get_shared_ciphers() function which has been fixed. CVE-2006-4343/VU#386964: The above Google security audit also found that the OpenSSL SSLv2 client code fails to properly check for NULL which could lead to a server program using openssl to crash. CVE-2006-2937: Fix mishandling of an error condition in parsing of certain invalid ASN1 structures, which could result in an infinite loop which consumes system memory. CVE-2006-2940: Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack to cause the remote side top spend an excessive amount of time in computation. 2) Solution or Work-Around
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058) Marcus Meissner (Sep 28)
- Re: SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058) Georgi Guninski (Sep 28)