Wednesday, May 28, 2008 6:41 PM
cmosby
OpenSSL Two Denial of Service Vulnerabilities - Secunia
OpenSSL Two Denial of Service Vulnerabilities
Secunia Advisory:
SA30405
Release Date:
2008-05-28
Critical:
Moderately critical
Impact:
DoS
Where:
From remote
Solution Status:
Vendor Patch
Software:
OpenSSL 0.9.x
CVE reference:
CVE-2008-0891 (Secunia mirror)
CVE-2008-1672 (Secunia mirror)
Description:
Two vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service).
1) A double-free error in the handling of server name extension data can be exploited to crash a server application using OpenSSL.
Successful exploitation requires that OpenSSL is compiled using the TLS server name extensions.
2) An unspecified error can be exploited by a malicious server to crash a client application when the "Server Key exchange message" is omitted from a TLS handshake client.
The vulnerabilities are reported in versions 0.9.8f and 0.9.8g.
Solution:
Update to version 0.9.8h.
Provided and/or discovered by:
The vendor credits Codenomicon.
Original Advisory:
http://www.openssl.org/news/secadv_20080528.txt
Filed under: Internet Applications, Security, Configuration Managment, Enterprise Applications