This is the notification (in part) from Redhat:
NISCC testing of implementations of the SSL protocol uncovered two bugs in OpenSSL 0.9.6 and OpenSSL 0.9.7. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash. A remote attacker could trigger this bug by sending a carefully-crafted SSL client certificate to an application. The effects of such an attack vary depending on the application targetted; against Apache the effects are limited, as the attack would only cause child processes to die and be replaced. An attack against other applications that use OpenSSL could result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to this issue.
Red Hat Linux versions 7.1, 7.2, 7.3, and 8.0 contain OpenSSL 0.9.6 and are therefore vulnerable to this issue.
Personally, I'm not that worried as Apache is the only user of SSL on my box.
1 Replies
552 Views