Re: SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058)

[Georgi Guninski <guninski () guninski com>]

so you are giving credit to some pseudo 0days (corporate promotion), but you
are not giving credit to some pseudo 0days - see quoted text.

is this on purpose?


On Thu, Sep 28, 2006 at 06:48:19PM +0200, Marcus Meissner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> 1) Problem Description and Brief Discussion
>
>    Several security problems were found and fixed in the OpenSSL
>    cryptographic library.
>
>    CVE-2006-3738/VU#547300:
>    A Google security audit found a buffer overflow condition within the
>    SSL_get_shared_ciphers() function which has been fixed.
>
>    CVE-2006-4343/VU#386964:
>    The above Google security audit also found that the OpenSSL SSLv2
>    client code fails to properly check for NULL which could lead to a
>    server program using openssl to crash.
>
>    CVE-2006-2937:
>    Fix mishandling of an error condition in parsing of certain invalid
>    ASN1 structures, which could result in an infinite loop which consumes
>    system memory.
>
>    CVE-2006-2940:
>    Certain types of public key can take disproportionate amounts of time
>    to process. This could be used by an attacker in a denial of service
>    attack to cause the remote side top spend an excessive amount of time
>    in computation.
>
> 2) Solution or Work-Around

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/