138365 – CAN-2004-0081 missing from OpenSSL096b compatbility package

Bug 138365 - CAN-2004-0081 missing from OpenSSL096b compatbility package

Summary: CAN-2004-0081 missing from OpenSSL096b compatbility package

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssl096b
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:
Docs Contact:
URL:
Whiteboard:	impact=moderate,deadline=20041108
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-08 16:34 UTC by Mark J. Cox
Modified:	2007-11-30 22:10 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-02 14:39:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mark J. Cox 2004-11-08 16:34:51 UTC

OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message
types, which allows remote attackers to cause a denial of service
(infinite loop), as demonstrated using the Codenomicon TLS Test Tool.

During an audit of FC3 security issues, the Red Hat security team
discovered that the fix for CAN-2004-0081 is missing from OpenSSL096b.
 This does not present a large risk due to the use of this
compatibility package.

Comment 2 Tomas Mraz 2005-02-02 14:39:44 UTC

Fixed in openssl096b-0.9.6b-20 and -21 for FC2/FC3.

Note You need to log in before you can comment on or make changes to this bug.