FreeBSD Local Security Checks : FreeBSD Security Advisory (FreeBSD-SA-03:18.openssl.asc)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.52641

Kategorie: FreeBSD Local Security Checks

Titel: FreeBSD Security Advisory (FreeBSD-SA-03:18.openssl.asc)

Zusammenfassung: The remote host is missing an update to the system; as announced in the referenced advisory FreeBSD-SA-03:18.openssl.asc

Beschreibung: Summary:
The remote host is missing an update to the system
as announced in the referenced advisory FreeBSD-SA-03:18.openssl.asc

Vulnerability Insight:
FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.

This advisory addresses four separate flaws recently fixed in OpenSSL.
The flaws are described in the following excerpt from the OpenSSL.org
advisory (see references):

1. Certain ASN.1 encodings that are rejected as invalid by the
parser can trigger a bug in the deallocation of the corresponding
data structure, corrupting the stack. This can be used as a denial
of service attack. It is currently unknown whether this can be
exploited to run malicious code. This issue does not affect OpenSSL
0.9.6.

2. Unusual ASN.1 tag values can cause an out of bounds read
under certain circumstances, resulting in a denial of service
vulnerability.

3. A malformed public key in a certificate will crash the verify
code if it is set to ignore public key decoding errors. Public
key decode errors are not normally ignored, except for
debugging purposes, so this is unlikely to affect production
code. Exploitation of an affected application would result in a
denial of service vulnerability.

4. Due to an error in the SSL/TLS protocol handling, a server
will parse a client certificate when one is not specifically
requested. This by itself is not strictly speaking a vulnerability
but it does mean that *all* SSL/TLS servers that use OpenSSL can be
attacked using vulnerabilities 1, 2 and 3 even if they don't enable
client authentication.

Solution:
Upgrade your system to the appropriate stable release
or security branch dated after the correction date.

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Copyright Copyright (C) 2008 E-Soft Inc.

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.52641
Kategorie:	FreeBSD Local Security Checks
Titel:	FreeBSD Security Advisory (FreeBSD-SA-03:18.openssl.asc)
Zusammenfassung:	The remote host is missing an update to the system; as announced in the referenced advisory FreeBSD-SA-03:18.openssl.asc
Beschreibung:	Summary: The remote host is missing an update to the system as announced in the referenced advisory FreeBSD-SA-03:18.openssl.asc Vulnerability Insight: FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial- grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. This advisory addresses four separate flaws recently fixed in OpenSSL. The flaws are described in the following excerpt from the OpenSSL.org advisory (see references): 1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. 2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability. 3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errors are not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability. 4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that all SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication. Solution: Upgrade your system to the appropriate stable release or security branch dated after the correction date. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Copyright	Copyright (C) 2008 E-Soft Inc.