OpenPKG Security Advisory
OpenPKG-SA-2003.044
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2003.044 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2003.044 Advisory Published: 2010-09-03 22:42 UTC Issue Id (internal): OpenPKG-SI-20030930.01 Issue First Created: 2003-09-30 Issue Last Modified: 2006-11-28 Issue Revision: 07
Subject Name: OpenSSL Subject Summary: Cryptography and SSL/TLS Toolkit Subject Home: http://www.openssl.org/ Subject Versions: * <= 0.9.7b Vulnerability Id: CVE-2003-0543, CVE-2003-0544, CVE-2003-0545 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service, arbitrary code execution Description: According to an OpenSSL [0] security advisory [1], multiple vulnerabilities exist in OpenSSL versions up to and including 0.9.6j and 0.9.7b: 1. Certain ASN.1 encodings that are rejected as invalid by the ASN.1 parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. 2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances. 3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors (which is usually not the case, except for debugging purposes). 4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This means that all OpenSSL based SSL/TLS servers can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication. References: [0] http://www.openssl.org/ [1] http://www.openssl.org/news/secadv_20030930.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0543 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0544 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0545 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.4.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.2.src.rpm [9] ftp://ftp.openpkg.org/release/1.2/UPD/ [10] ftp://ftp.openpkg.org/release/1.3/UPD/ [11] http://www.openpkg.org/security.html#signature
Primary Package Name: openssl Primary Package Home: http://openpkg.org/go/package/openssl Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 1.2-SOLID openssl-0.9.7-1.2.3 OpenPKG Community 1.3-SOLID openssl-0.9.7b-1.3.1 OpenPKG Community CURRENT openssl-0.9.7b-20030806 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 1.2-SOLID openssl-0.9.7-1.2.4 OpenPKG Community 1.3-SOLID openssl-0.9.7b-1.3.2 OpenPKG Community CURRENT openssl-0.9.7b-20030930
