Mandrake Local Security Checks : Mandrake Security Advisory MDKSA-2003:098 (openssl)

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 61204 CVE descriptions and 32582 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.50753

Category: Mandrake Local Security Checks

Title: Mandrake Security Advisory MDKSA-2003:098 (openssl)

Summary: Mandrake Security Advisory MDKSA-2003:098 (openssl)

Description:
The remote host is missing an update to openssl
announced via advisory MDKSA-2003:098.

Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The
parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which
could be triggered by a remote attacker by sending a carefully-crafted
SSL client certificate to an application. Depending upon the
application targetted, the effects seen will vary
in some cases a DoS
(Denial of Service) could be performed, in others nothing noticeable
or adverse may happen. These two vulnerabilities have been assigned
CVE-2003-0543 and CVE-2003-0544.

Additionally, NISCC discovered a third bug in OpenSSL 0.9.7. Certain
ASN.1 encodings that are rejected as invalid by the parser can trigger
a bug in deallocation of a structure, leading to a double free. This
can be triggered by a remote attacker by sending a carefully-crafted
SSL client certificate to an application. This vulnerability may be
exploitable to execute arbitrary code. This vulnerability has been
assigned CVE-2003-0545.

The packages provided have been built with patches provided by the
OpenSSL group that resolve these issues.

A number of server applications such as OpenSSH and Apache that make
use of OpenSSL need to be restarted after the update has been applied
to ensure that they are protected from these issues. Users are
encouraged to restart all of these services or reboot their systems.

Affected versions: 8.2, 9.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

http://www.securityspace.com/smysecure/catid.html?in=MDKSA-2003:098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0545
http://www.kb.cert.org/vuls/id/255484
http://www.kb.cert.org/vuls/id/380864
http://www.kb.cert.org/vuls/id/935264
http://www.openssl.org/news/secadv_20030930.txt
http://www.uniras.gov.uk/vuls/2003/006489/tls.htm
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm

Risk factor : Critical

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2003-0543
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
http://www.redhat.com/support/errata/RHSA-2003-291.html
http://www.redhat.com/support/errata/RHSA-2003-292.html
En Garde Linux Advisory: ESA-20030930-027
http://www.linuxsecurity.com/advisories/engarde_advisory-3693.html
Debian Security Information: DSA-393 (Google Search)
http://www.debian.org/security/2003/dsa-393
Debian Security Information: DSA-394 (Google Search)
http://www.debian.org/security/2003/dsa-394
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201029-1
http://www.cert.org/advisories/CA-2003-26.html
CERT/CC vulnerability note: VU#255484
http://www.kb.cert.org/vuls/id/255484
BugTraq ID: 8732
http://www.securityfocus.com/bid/8732
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5292
http://www.vupen.com/english/advisories/2006/3900
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4254
http://secunia.com/advisories/22249
Common Vulnerability Exposure (CVE) ID: CVE-2003-0544
CERT/CC vulnerability note: VU#380864
http://www.kb.cert.org/vuls/id/380864
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4574
XForce ISS Database: openssl-asn1-sslclient-dos(43041)
http://xforce.iss.net/xforce/xfdb/43041
Common Vulnerability Exposure (CVE) ID: CVE-2003-0545
CERT/CC vulnerability note: VU#935264
http://www.kb.cert.org/vuls/id/935264
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2590

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.50753
Category:	Mandrake Local Security Checks
Title:	Mandrake Security Advisory MDKSA-2003:098 (openssl)
Summary:	Mandrake Security Advisory MDKSA-2003:098 (openssl)
Description:	The remote host is missing an update to openssl announced via advisory MDKSA-2003:098. Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which could be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. Depending upon the application targetted, the effects seen will vary in some cases a DoS (Denial of Service) could be performed, in others nothing noticeable or adverse may happen. These two vulnerabilities have been assigned CVE-2003-0543 and CVE-2003-0544. Additionally, NISCC discovered a third bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in deallocation of a structure, leading to a double free. This can be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. This vulnerability may be exploitable to execute arbitrary code. This vulnerability has been assigned CVE-2003-0545. The packages provided have been built with patches provided by the OpenSSL group that resolve these issues. A number of server applications such as OpenSSH and Apache that make use of OpenSSL need to be restarted after the update has been applied to ensure that they are protected from these issues. Users are encouraged to restart all of these services or reboot their systems. Affected versions: 8.2, 9.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. http://www.securityspace.com/smysecure/catid.html?in=MDKSA-2003:098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0545 http://www.kb.cert.org/vuls/id/255484 http://www.kb.cert.org/vuls/id/380864 http://www.kb.cert.org/vuls/id/935264 http://www.openssl.org/news/secadv_20030930.txt http://www.uniras.gov.uk/vuls/2003/006489/tls.htm http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm Risk factor : Critical
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2003-0543 http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm http://www.redhat.com/support/errata/RHSA-2003-291.html http://www.redhat.com/support/errata/RHSA-2003-292.html En Garde Linux Advisory: ESA-20030930-027 http://www.linuxsecurity.com/advisories/engarde_advisory-3693.html Debian Security Information: DSA-393 (Google Search) http://www.debian.org/security/2003/dsa-393 Debian Security Information: DSA-394 (Google Search) http://www.debian.org/security/2003/dsa-394 http://sunsolve.sun.com/search/document.do?assetkey=1-66-201029-1 http://www.cert.org/advisories/CA-2003-26.html CERT/CC vulnerability note: VU#255484 http://www.kb.cert.org/vuls/id/255484 BugTraq ID: 8732 http://www.securityfocus.com/bid/8732 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5292 http://www.vupen.com/english/advisories/2006/3900 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4254 http://secunia.com/advisories/22249 Common Vulnerability Exposure (CVE) ID: CVE-2003-0544 CERT/CC vulnerability note: VU#380864 http://www.kb.cert.org/vuls/id/380864 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4574 XForce ISS Database: openssl-asn1-sslclient-dos(43041) http://xforce.iss.net/xforce/xfdb/43041 Common Vulnerability Exposure (CVE) ID: CVE-2003-0545 CERT/CC vulnerability note: VU#935264 http://www.kb.cert.org/vuls/id/935264 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2590
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com