[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058)
- To: Marcus Meissner <meissner@xxxxxxx>
- Subject: Re: [Full-disclosure] SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058)
- From: Georgi Guninski <guninski@xxxxxxxxxxxx>
- Date: Thu, 28 Sep 2006 21:58:58 +0300
so you are giving credit to some pseudo 0days (corporate promotion), but you
are not giving credit to some pseudo 0days - see quoted text.
is this on purpose?
On Thu, Sep 28, 2006 at 06:48:19PM +0200, Marcus Meissner wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> 1) Problem Description and Brief Discussion
>
> Several security problems were found and fixed in the OpenSSL
> cryptographic library.
>
> CVE-2006-3738/VU#547300:
> A Google security audit found a buffer overflow condition within the
> SSL_get_shared_ciphers() function which has been fixed.
>
> CVE-2006-4343/VU#386964:
> The above Google security audit also found that the OpenSSL SSLv2
> client code fails to properly check for NULL which could lead to a
> server program using openssl to crash.
>
> CVE-2006-2937:
> Fix mishandling of an error condition in parsing of certain invalid
> ASN1 structures, which could result in an infinite loop which consumes
> system memory.
>
> CVE-2006-2940:
> Certain types of public key can take disproportionate amounts of time
> to process. This could be used by an attacker in a denial of service
> attack to cause the remote side top spend an excessive amount of time
> in computation.
>
> 2) Solution or Work-Around
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/