Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Fabien on October 01, 2003, 02:08:01 PM

Title: OpenSSL security advisory
Post by: Fabien on October 01, 2003, 02:08:01 PM

Just for info :
http://www.openssl.org/news/secadv_20030930.txt

It seems that SME 5.5 is concerned, what about patch and other versions ?

Title: Re: OpenSSL security advisory
Post by: NickR on October 03, 2003, 12:46:39 AM

This is the notification (in part) from Redhat:

NISCC testing of implementations of the SSL protocol uncovered two bugs in OpenSSL 0.9.6 and OpenSSL 0.9.7. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash. A remote attacker could trigger this bug by sending a carefully-crafted SSL client certificate to an application. The effects of such an attack vary depending on the application targetted; against Apache the effects are limited, as the attack would only cause child processes to die and be replaced. An attack against other applications that use OpenSSL could result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to this issue.

Red Hat Linux versions 7.1, 7.2, 7.3, and 8.0 contain OpenSSL 0.9.6 and are therefore vulnerable to this issue.

Personally, I'm not that worried as Apache is the only user of SSL on my box.