Test ID:	1.3.6.1.4.1.25623.1.0.64323
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-792-1)
Summary:	The remote host is missing an update for the 'openssl' package(s) announced via the USN-792-1 advisory.
Description:	Summary: The remote host is missing an update for the 'openssl' package(s) announced via the USN-792-1 advisory. Vulnerability Insight: It was discovered that OpenSSL did not limit the number of DTLS records it would buffer when they arrived with a future epoch. A remote attacker could cause a denial of service via memory resource consumption by sending a large number of crafted requests. (CVE-2009-1377) It was discovered that OpenSSL did not properly free memory when processing DTLS fragments. A remote attacker could cause a denial of service via memory resource consumption by sending a large number of crafted requests. (CVE-2009-1378) It was discovered that OpenSSL did not properly handle certain server certificates when processing DTLS packets. A remote DTLS server could cause a denial of service by sending a message containing a specially crafted server certificate. (CVE-2009-1379) It was discovered that OpenSSL did not properly handle a DTLS ChangeCipherSpec packet when it occurred before ClientHello. A remote attacker could cause a denial of service by sending a specially crafted request. (CVE-2009-1386) It was discovered that OpenSSL did not properly handle out of sequence DTLS handshake messages. A remote attacker could cause a denial of service by sending a specially crafted request. (CVE-2009-1387) Affected Software/OS: 'openssl' package(s) on Ubuntu 6.06, Ubuntu 8.04, Ubuntu 8.10, Ubuntu 9.04. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-1377 1022241 http://www.securitytracker.com/id?1022241 35001 http://www.securityfocus.com/bid/35001 35128 http://secunia.com/advisories/35128 35416 http://secunia.com/advisories/35416 35461 http://secunia.com/advisories/35461 35571 http://secunia.com/advisories/35571 35729 http://secunia.com/advisories/35729 36533 http://secunia.com/advisories/36533 37003 http://secunia.com/advisories/37003 38761 http://secunia.com/advisories/38761 38794 http://secunia.com/advisories/38794 38834 http://secunia.com/advisories/38834 42724 http://secunia.com/advisories/42724 42733 http://secunia.com/advisories/42733 ADV-2009-1377 http://www.vupen.com/english/advisories/2009/1377 ADV-2010-0528 http://www.vupen.com/english/advisories/2010/0528 GLSA-200912-01 http://security.gentoo.org/glsa/glsa-200912-01.xml HPSBMA02492 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444 MDVSA-2009:120 http://www.mandriva.com/security/advisories?name=MDVSA-2009:120 NetBSD-SA2009-009 ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc RHSA-2009:1335 http://www.redhat.com/support/errata/RHSA-2009-1335.html SSA:2010-060-02 http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049 SSRT100079 SUSE-SR:2009:011 http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html USN-792-1 http://www.ubuntu.com/usn/USN-792-1 [openssl-dev] 20090516 [openssl.org #1930] [PATCH] DTLS record buffer limitation bug http://marc.info/?l=openssl-dev&m=124247675613888&w=2 [oss-security] 20090518 Two OpenSSL DTLS remote DoS http://www.openwall.com/lists/oss-security/2009/05/18/1 [security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates http://lists.vmware.com/pipermail/security-announce/2010/000082.html http://cvs.openssl.org/chngview?cn=18187 http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html https://kb.bluecoat.com/index?page=content&id=SA50 https://launchpad.net/bugs/cve/2009-1377 oval:org.mitre.oval:def:6683 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6683 oval:org.mitre.oval:def:9663 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9663 Common Vulnerability Exposure (CVE) ID: CVE-2009-1378 8720 https://www.exploit-db.com/exploits/8720 [openssl-dev] 20090516 [openssl.org #1931] [PATCH] DTLS fragment handling memory leak http://marc.info/?l=openssl-dev&m=124247679213944&w=2 [openssl-dev] 20090518 Re: [openssl.org #1931] [PATCH] DTLS fragment handling memory leak http://marc.info/?l=openssl-dev&m=124263491424212&w=2 http://cvs.openssl.org/chngview?cn=18188 http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest https://launchpad.net/bugs/cve/2009-1378 oval:org.mitre.oval:def:11309 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11309 oval:org.mitre.oval:def:7229 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7229 Common Vulnerability Exposure (CVE) ID: CVE-2009-1379 35138 http://www.securityfocus.com/bid/35138 [oss-security] 20090518 Re: Two OpenSSL DTLS remote DoS http://www.openwall.com/lists/oss-security/2009/05/18/4 http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest https://launchpad.net/bugs/cve/2009-1379 openssl-dtls1retrievebufferedfragment-dos(50661) https://exchange.xforce.ibmcloud.com/vulnerabilities/50661 oval:org.mitre.oval:def:6848 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6848 oval:org.mitre.oval:def:9744 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9744 Common Vulnerability Exposure (CVE) ID: CVE-2009-1386 35174 http://www.securityfocus.com/bid/35174 35685 http://secunia.com/advisories/35685 8873 https://www.exploit-db.com/exploits/8873 SUSE-SR:2009:012 http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html [oss-security] 20090602 Re: Two OpenSSL DTLS remote DoS http://www.openwall.com/lists/oss-security/2009/06/02/1 http://cvs.openssl.org/chngview?cn=17369 http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest openssl-changecipherspec-dos(50963) https://exchange.xforce.ibmcloud.com/vulnerabilities/50963 oval:org.mitre.oval:def:11179 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11179 oval:org.mitre.oval:def:7469 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7469 Common Vulnerability Exposure (CVE) ID: CVE-2009-1387 HPdes Security Advisory: HPSBMA02492 HPdes Security Advisory: SSRT100079 NETBSD Security Advisory: NetBSD-SA2009-009 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10740 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7592 SuSE Security Announcement: SUSE-SR:2009:012 (Google Search)
Copyright	Copyright (C) 2009 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.