Attachment 218291 Details for Bug 321191 – draft advisory

draft advisory

advisory2.txt (text/plain), 1.17 KB, created by Mark J. Cox on 2007-10-06 08:10:36 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Mark J. Cox

Created: 2007-10-06 08:10:36 UTC

Size: 1.17 KB

patch

obsolete

>OpenSSL Security Advisory [xx-xxx-2007]
>
>OpenSSL Vulnerabilities
>-----------------------
>
>Vulnerability A
>---------------
>
>Andy Polyakov discovered various flaws in OpenSSL's DTLS
>implementation which could lead to the compromise of clients and
>servers with DTLS enabled.
>
>These flaws may permit remote code execution.
>
>This vulnerability is tracked as CVE-2007-4995.
>
>Versions Affected
>-----------------
>
>All releases of 0.9.8 prior to 0.9.8f.
>
>Recommendation
>--------------
>
>Either
>
>a) Upgrade to the latest version of OpenSSL (0.9.8f) and rebuild all
>packages using OpenSSL for DTLS.
>
>or,
>
>b) Disable DTLS.
>
>Vulnerability B
>---------------
>
>Moritz Jodeit found an off-by-one error in SSL_get_shared_ciphers(), a
>function that should normally only be used for logging or debugging.
>
>The impact of this overflow is unclear.
>
>This vulnerability is tracked as CVE-2007-5135.
>
>Versions Affected
>-----------------
>
>All releases of 0.9.8 prior to 0.9.8f. All releases of 0.9.7 prior to
>0.9.7m.
>
>(Note that versions prior to 0.9.8d and 0.9.7l actually had a worse
>problem in the same function).
>
>Recommendation
>--------------
>
>a) Don't use SSL_get_shared_ciphers().
>
>OR
>
>b) Upgrade to 0.9.8f or 0.9.7m.

Actions: View

Attachments on bug 321191: 218291 | 218311