Po chwili wytchnienia od ostatniego łatania systemu związanego z błędem w kernelu, teraz przyszedł czas znów zabrać się do pracy, ale tym razem uaktualniając biblioteke OpenSSL. Zostało wydane dziś advisory które zaleca update do najnowszych wersji tej biblioteki. Ujawnione błędy mogą doprowadzić do udanego ataku Denial of Service. Pełny tekst advisory poniżej, a nowe źródła dostępne pod adresem http://www.openssl.org/source/.

  OpenSSL Security Advisory [17 March 2004]    Updated versions of OpenSSL are now available which correct two   security issues:      1. Null-pointer assignment during SSL handshake  ===============================================    Testing performed by the OpenSSL group using the Codenomicon TLS Test  Tool uncovered a null-pointer assignment in the  do_change_cipher_spec() function.  A remote attacker could perform a  carefully crafted SSL/TLS handshake against a server that used the  OpenSSL library in such a way as to cause OpenSSL to crash.  Depending  on the application this could lead to a denial of service.    The Common Vulnerabilities and Exposures project (cve.mitre.org) has  assigned the name CAN-2004-0079 to this issue.    All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from  0.9.7a to 0.9.7c inclusive are affected by this issue.  Any  application that makes use of OpenSSL's SSL/TLS library may be  affected.  Please contact your application vendor for details.      2. Out-of-bounds read affects Kerberos ciphersuites  ===================================================    Stephen Henson discovered a flaw in SSL/TLS handshaking code when  using Kerberos ciphersuites.  A remote attacker could perform a  carefully crafted SSL/TLS handshake against a server configured to use  Kerberos ciphersuites in such a way as to cause OpenSSL to crash.  Most applications have no ability to use Kerberos ciphersuites and  will therefore be unaffected.    The Common Vulnerabilities and Exposures project (cve.mitre.org) has  assigned the name CAN-2004-0112 to this issue.    Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this  issue.  Any application that makes use of OpenSSL's SSL/TLS library  may be affected.  Please contact your application vendor for details.    Recommendations  ---------------    Upgrade to OpenSSL 0.9.7d or 0.9.6m.  Recompile any OpenSSL applications  statically linked to OpenSSL libraries.    OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and  FTP from the following master locations (you can find the various FTP  mirrors under http://www.openssl.org/source/mirror.html):        ftp://ftp.openssl.org/source/    The distribution file names are:        o openssl-0.9.7d.tar.gz        MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5            o openssl-0.9.6m.tar.gz [normal]        MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9      o openssl-engine-0.9.6m.tar.gz [engine]        MD5 checksum: 4c39d2524bd466180f9077f8efddac8c    The checksums were calculated using the following command:        openssl md5 openssl-0.9*.tar.gz    Credits  -------    Patches for these issues were created by Dr Stephen Henson  (steve@openssl.org) of the OpenSSL core team.  The OpenSSL team would  like to thank Codenomicon for supplying the TLS Test Tool which was  used to discover these vulnerabilities, and Joe Orton of Red Hat for  performing the majority of the testing.    References  ----------    http://www.codenomicon.com/testtools/tls/  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112    URL for this Security Advisory:  http://www.openssl.org/news/secadv_20040317.txt  

Archiwalny news dodany przez użytkownika: cborys.
Kliknij tutaj by zobaczyć archiwalne komentarze.

Przeczytaj też

Oznaczone jako → 
Share →