| Description: | Summary:
The remote host is missing an update for the 'OpenSSL' package(s) announced via the SSA:2005-286-01 advisory.
Vulnerability Insight:
New OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
10.2, and -current to fix a security issue. Under certain conditions, an
attacker acting as a 'man in the middle' may force a client and server to
fall back to the less-secure SSL 2.0 protocol.
More details about this issue may be found here:
[links moved to references]
Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/openssl-0.9.7g-i486-2.tgz: Patched.
Fixed a vulnerability that could, in rare circumstances, allow an attacker
acting as a 'man in the middle' to force a client and a server to negotiate
the SSL 2.0 protocol (which is known to be weak) even if these parties both
support SSL 3.0 or TLS 1.0.
For more details, see:
[links moved to references]
(* Security fix *)
patches/packages/openssl-solibs-0.9.7g-i486-2.tgz: Patched.
(* Security fix *)
+--------------------------+
Affected Software/OS:
'OpenSSL' package(s) on Slackware 8.1, Slackware 9.0, Slackware 9.1, Slackware 10.0, Slackware 10.1, Slackware 10.2, Slackware current.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
