Debian 3.1 DSA 1185-1 Critical: OpenSSL Denial of Service Vulnerabilities
debian
September 28, 2006
Multiple vulnerabilities have been discovered in the OpenSSL cryptographic software package that could allow an attacker to launch a denial of service attack by exhausting system r...
Topics Covered
Summary
During the parsing of certain invalid ASN1 structures an error
condition is mishandled. This can result in an infinite loop
which consumes system memory.
Any code which uses OpenSSL to parse ASN1 data from untrusted
sources is affected. This includes SSL servers which enable
client authentication and S/MIME applications.
CVE-2006-3738
Tavis Ormandy and Will Drewry of the Google Security Team
discovered a buffer overflow in SSL_get_shared_ciphers utility
function, used by some applications such as exim and mysql. An
attacker could send a list of ciphers that would overrun a
buffer.
CVE-2006-4343
Tavis Ormandy and Will Drewry of the Google Security Team
discovered a possible DoS in the sslv2 client code. Where a
client application uses OpenSSL to make a SSLv2 connection to
a malicious server that server could cause the client to
crash.
CVE-2006-2940
Dr S N Henson of the OpenSSL core team and Open Network
Security recently developed an ASN1 test suite for NISCC
...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!