Bug 138365

Summary: CAN-2004-0081 missing from OpenSSL096b compatbility package
Product: [Fedora] Fedora Reporter: Mark J. Cox <mjc>
Component: openssl096bAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,deadline=20041108
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-02 14:39:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2004-11-08 16:34:51 UTC 
OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message
types, which allows remote attackers to cause a denial of service
(infinite loop), as demonstrated using the Codenomicon TLS Test Tool.

During an audit of FC3 security issues, the Red Hat security team
discovered that the fix for CAN-2004-0081 is missing from OpenSSL096b.
 This does not present a large risk due to the use of this
compatibility package.
Comment 2 Tomas Mraz 2005-02-02 14:39:44 UTC 
Fixed in openssl096b-0.9.6b-20 and -21 for FC2/FC3.