Red Hat Local Security Checks : RedHat Security Advisory RHSA-2003:293

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.51027

Categoría: Red Hat Local Security Checks

Título: RedHat Security Advisory RHSA-2003:293

Resumen: NOSUMMARY

Descripción: Description:

The remote host is missing updates announced in
advisory RHSA-2003:293.

OpenSSL is a commercial-grade, full-featured, and open source toolkit that
implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
(TLS v1) protocols as well as a full-strength general purpose cryptography
library.

NISCC testing of implementations of the SSL protocol uncovered two bugs in
OpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL to
crash. A remote attacker could trigger this bug by sending a carefully
crafted SSL client certificate to an application. The effects of such an
attack vary depending on the application targetted
against Apache the
effects are limited, as the attack would only cause child processes to die
and be replaced. An attack against other applications that use OpenSSL
could result in a Denial of Service. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the names CVE-2003-0543 and
CVE-2003-0544 to this issue.

These erratum packages contain a patch provided by the OpenSSL group that
protects against this issue.

Because server applications are affected by this issue, users are advised
to either restart all services that use OpenSSL functionality or reboot
their systems after installing these updates.

Red Hat would like to thank NISCC and Stephen Henson for their work on this
vulnerability.

These packages also include a patch from OpenSSL 0.9.6f which removes
the calls to abort the process in certain circumstances. Red Hat would
like to thank Patrik Hornik for notifying us of this issue.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2003-293.html
http://www.niscc.gov.uk/
http://www.openssl.org/news/secadv_20030930.txt

Risk factor : Medium

CVSS Score:
5.0

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2003-0543
BugTraq ID: 8732
http://www.securityfocus.com/bid/8732
http://www.cert.org/advisories/CA-2003-26.html
CERT/CC vulnerability note: VU#255484
http://www.kb.cert.org/vuls/id/255484
Debian Security Information: DSA-393 (Google Search)
http://www.debian.org/security/2003/dsa-393
Debian Security Information: DSA-394 (Google Search)
http://www.debian.org/security/2003/dsa-394
En Garde Linux Advisory: ESA-20030930-027
http://www.linuxsecurity.com/advisories/engarde_advisory-3693.html
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4254
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5292
http://www.redhat.com/support/errata/RHSA-2003-291.html
http://www.redhat.com/support/errata/RHSA-2003-292.html
http://secunia.com/advisories/22249
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201029-1
http://www.vupen.com/english/advisories/2006/3900
Common Vulnerability Exposure (CVE) ID: CVE-2003-0544
CERT/CC vulnerability note: VU#380864
http://www.kb.cert.org/vuls/id/380864
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4574
XForce ISS Database: openssl-asn1-sslclient-dos(43041)
https://exchange.xforce.ibmcloud.com/vulnerabilities/43041

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.51027
Categoría:	Red Hat Local Security Checks
Título:	RedHat Security Advisory RHSA-2003:293
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing updates announced in advisory RHSA-2003:293. OpenSSL is a commercial-grade, full-featured, and open source toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. NISCC testing of implementations of the SSL protocol uncovered two bugs in OpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash. A remote attacker could trigger this bug by sending a carefully crafted SSL client certificate to an application. The effects of such an attack vary depending on the application targetted against Apache the effects are limited, as the attack would only cause child processes to die and be replaced. An attack against other applications that use OpenSSL could result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2003-0543 and CVE-2003-0544 to this issue. These erratum packages contain a patch provided by the OpenSSL group that protects against this issue. Because server applications are affected by this issue, users are advised to either restart all services that use OpenSSL functionality or reboot their systems after installing these updates. Red Hat would like to thank NISCC and Stephen Henson for their work on this vulnerability. These packages also include a patch from OpenSSL 0.9.6f which removes the calls to abort the process in certain circumstances. Red Hat would like to thank Patrik Hornik for notifying us of this issue. Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date http://rhn.redhat.com/errata/RHSA-2003-293.html http://www.niscc.gov.uk/ http://www.openssl.org/news/secadv_20030930.txt Risk factor : Medium CVSS Score: 5.0
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2003-0543 BugTraq ID: 8732 http://www.securityfocus.com/bid/8732 http://www.cert.org/advisories/CA-2003-26.html CERT/CC vulnerability note: VU#255484 http://www.kb.cert.org/vuls/id/255484 Debian Security Information: DSA-393 (Google Search) http://www.debian.org/security/2003/dsa-393 Debian Security Information: DSA-394 (Google Search) http://www.debian.org/security/2003/dsa-394 En Garde Linux Advisory: ESA-20030930-027 http://www.linuxsecurity.com/advisories/engarde_advisory-3693.html http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4254 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5292 http://www.redhat.com/support/errata/RHSA-2003-291.html http://www.redhat.com/support/errata/RHSA-2003-292.html http://secunia.com/advisories/22249 http://sunsolve.sun.com/search/document.do?assetkey=1-66-201029-1 http://www.vupen.com/english/advisories/2006/3900 Common Vulnerability Exposure (CVE) ID: CVE-2003-0544 CERT/CC vulnerability note: VU#380864 http://www.kb.cert.org/vuls/id/380864 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4574 XForce ISS Database: openssl-asn1-sslclient-dos(43041) https://exchange.xforce.ibmcloud.com/vulnerabilities/43041
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com