[34158] in bugtraq
Re: New OpenSSL releases fix denial of service attacks [17 March
daemon@ATHENA.MIT.EDU (Mark J Cox)
Wed Mar 17 15:03:03 2004
Date: Wed, 17 Mar 2004 15:30:25 +0000 (GMT)
From: Mark J Cox <mark@awe.com>
To: Marc Bejarano <bugtraq@beej.org>
Cc: bugtraq@securityfocus.com
In-Reply-To: <6.0.3.0.2.20040317112244.03ecfb90@127.0.0.1>
Message-ID: <Pine.LNX.4.44.0403171530040.387-100000@pingu.awe.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> according to NISCC Vulnerability Advisory 224012 (
> http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a
> third potential DoS that was found with this testing sweep: CVE
> CAN-2004-0081. quoting from the NISCC advisory:
Absolutely, but that was fixed back in 0.9.6d a long time ago.
> NISCC/224012/3 [OpenSSL 0.9.6]
> CAN-2004-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
> Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
> uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a
> Denial of Service attack (infinite loop). This issue was traced to a fix
> that was added to OpenSSL 0.9.6d some time ago. This issue will affect
> vendors that ship older versions of OpenSSL with backported security patches.
Mark
--
Mark J Cox ........................................... www.awe.com/mark
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor
