448495 – (CVE-2008-1672) CVE-2008-1672 openssl: Omit Server Key Exchange message crash

Bug 448495 (CVE-2008-1672) - CVE-2008-1672 openssl: Omit Server Key Exchange message crash

Summary: CVE-2008-1672 openssl: Omit Server Key Exchange message crash

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-1672
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	448690 448691 482112 530522
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-27 09:36 UTC by Tomas Hoger
Modified:	2021-11-12 19:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-06-04 19:06:16 UTC
Embargoed:

Attachments	(Terms of Use)
Upstream patch (1.52 KB, patch) 2008-05-27 09:36 UTC, Tomas Hoger	no flags	Details \| Diff
View All

Description Tomas Hoger 2008-05-27 09:36:21 UTC

CERT/FI identified following issue affecting OpenSSL:

Testing using the Codenomicon TLS test suite discovered a flaw if the
'Server Key exchange message' is omitted from a TLS handshake in
OpenSSL 0.9.8f and OpenSSL 0.9.8g.  If a client connects to a
malicious server with particular cipher suites, the server could cause
the client to crash.  (CVE-2008-1672).

Please note this issue does not affect any other released versions of
OpenSSL.

Comment 1 Tomas Hoger 2008-05-27 09:36:47 UTC

Created attachment 306751 [details]
Upstream patch

Comment 2 Tomas Hoger 2008-05-27 09:37:26 UTC

This issue does not affect openssl packages as shipped in Red Hat Enterprise
Linux 2.1, 3, 4 and 5, and Fedora 7 and 8.  Only upstream versions 0.9.8f and
0.9.8g were affected, currently only shipped in Fedora 9 and Rawhide.

Comment 4 Tomas Hoger 2008-05-28 09:16:40 UTC

Public now, lifting embargo:

  http://openssl.org/news/secadv_20080528.txt

Comment 6 Tomas Hoger 2008-05-28 11:15:50 UTC

CERT-FI advisory:

  https://www.cert.fi/haavoittuvuudet/2008/advisory-openssl.html

Comment 7 Fedora Update System 2008-05-28 21:53:35 UTC

openssl-0.9.8g-9.fc9 has been submitted as an update for Fedora 9

Comment 8 Fedora Update System 2008-05-31 02:13:39 UTC

openssl-0.9.8g-9.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Red Hat Product Security 2008-06-04 19:06:16 UTC

This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4723

Note You need to log in before you can comment on or make changes to this bug.