| Description: | Summary:
The remote host is missing an update for the 'openssl' package(s) announced via the SSA:2009-014-01 advisory.
Vulnerability Insight:
New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2,
and -current to fix a security issue when connecting to an SSL/TLS server
that uses a certificate containing a DSA or ECDSA key.
More details about this issue may be found here:
[links moved to references]
Here are the details from the Slackware 12.2 ChangeLog:
+--------------------------+
patches/packages/openssl-0.9.8i-i486-2_slack12.2.tgz:
Patched to fix the return value EVP_VerifyFinal, preventing malformed
signatures from being considered good. This flaw could possibly allow a
'man in the middle' attack.
For more information, see:
[links moved to references]
(* Security fix *)
patches/packages/openssl-solibs-0.9.8i-i486-2_slack12.2.tgz:
Patched to fix the return value EVP_VerifyFinal, preventing malformed
signatures from being considered good. This flaw could possibly allow a
'man in the middle' attack.
For more information, see:
[links moved to references]
(* Security fix *)
+--------------------------+
Affected Software/OS:
'openssl' package(s) on Slackware 11.0, Slackware 12.0, Slackware 12.1, Slackware 12.2, Slackware current.
Solution:
Please install the updated package(s).
CVSS Score:
5.8
CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:P
|
