| Summary: | The remote host is missing updates announced in;advisory RHSA-2009:1335.;;OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3);and Transport Layer Security (TLS v1) protocols, as well as a full-strength;general purpose cryptography library. Datagram TLS (DTLS) is a protocol;based on TLS that is capable of securing datagram transport (for example,;UDP).;;Multiple denial of service flaws were discovered in OpenSSL's DTLS;implementation. A remote attacker could use these flaws to cause a DTLS;server to use excessive amounts of memory, or crash on an invalid memory;access or NULL pointer dereference. (CVE-2009-1377, CVE-2009-1378,;CVE-2009-1379, CVE-2009-1386, CVE-2009-1387);;Note: These flaws only affect applications that use DTLS. Red Hat does not;ship any DTLS client or server applications in Red Hat Enterprise Linux.;;An input validation flaw was found in the handling of the BMPString and;UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex();function. An attacker could use this flaw to create a specially-crafted;X.509 certificate that could cause applications using the affected function;to crash when printing certificate contents. (CVE-2009-0590);;Note: The affected function is rarely used. No application shipped with Red;Hat Enterprise Linux calls this function, for example. |
| Description: | Summary:
The remote host is missing updates announced in
advisory RHSA-2009:1335.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a full-strength
general purpose cryptography library. Datagram TLS (DTLS) is a protocol
based on TLS that is capable of securing datagram transport (for example,
UDP).
Multiple denial of service flaws were discovered in OpenSSL's DTLS
implementation. A remote attacker could use these flaws to cause a DTLS
server to use excessive amounts of memory, or crash on an invalid memory
access or NULL pointer dereference. (CVE-2009-1377, CVE-2009-1378,
CVE-2009-1379, CVE-2009-1386, CVE-2009-1387)
Note: These flaws only affect applications that use DTLS. Red Hat does not
ship any DTLS client or server applications in Red Hat Enterprise Linux.
An input validation flaw was found in the handling of the BMPString and
UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex()
function. An attacker could use this flaw to create a specially-crafted
X.509 certificate that could cause applications using the affected function
to crash when printing certificate contents. (CVE-2009-0590)
Note: The affected function is rarely used. No application shipped with Red
Hat Enterprise Linux calls this function, for example.
Solution:
OpenSSL users should upgrade to these updated packages, which resolve these
issues and add these enhancements.
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
