Test ID:	1.3.6.1.4.1.25623.1.0.800336
Category:	General
Title:	OpenSSL: Multiple Vulnerabilities (CVE-2009-0129, CVE-2008-7270, CVE-2008-5077) - Linux
Summary:	OpenSSL is prone to multiple vulnerabilities.
Description:	Summary: OpenSSL is prone to multiple vulnerabilities. Vulnerability Insight: The following flaws exist: - CVE-2009-0129: libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions - CVE-2008-7270: OpenSSL, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache - CVE-2008-5077: OpenSSL does not properly check the return value from the EVP_VerifyFinal function Vulnerability Impact: - CVE-2009-0129: The flaw might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature - CVE-2008-7270: The flaw allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier - CVE-2008-5077: The flaw allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys Affected Software/OS: OpenSSL version prior to 0.9.8j. Solution: Update to version 0.9.8j. CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-0129 http://openwall.com/lists/oss-security/2009/01/12/4 Common Vulnerability Exposure (CVE) ID: CVE-2008-7270 BugTraq ID: 45254 http://www.securityfocus.com/bid/45254 HPdes Security Advisory: HPSBHF02706 http://marc.info/?l=bugtraq&m=132077688910227&w=2 HPdes Security Advisory: HPSBMU02759 http://www.securityfocus.com/archive/1/522176 HPdes Security Advisory: SSRT100613 HPdes Security Advisory: SSRT100817 http://www.redhat.com/support/errata/RHSA-2010-0977.html http://www.redhat.com/support/errata/RHSA-2010-0978.html http://www.redhat.com/support/errata/RHSA-2011-0896.html http://secunia.com/advisories/42493 http://ubuntu.com/usn/usn-1029-1 Common Vulnerability Exposure (CVE) ID: CVE-2008-5077 1021523 http://www.securitytracker.com/id?1021523 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.securityfocus.com/archive/1/499827/100/0/threaded 20090401 VMSA-2009-0004 ESX Service Console updates for openssl, bind, and vim http://www.securityfocus.com/archive/1/502322/100/0/threaded 250826 http://sunsolve.sun.com/search/document.do?assetkey=1-66-250826-1 33150 http://www.securityfocus.com/bid/33150 33338 http://secunia.com/advisories/33338 33394 http://secunia.com/advisories/33394 33436 http://secunia.com/advisories/33436 33557 http://secunia.com/advisories/33557 33673 http://secunia.com/advisories/33673 33765 http://secunia.com/advisories/33765 34211 http://secunia.com/advisories/34211 35074 http://secunia.com/advisories/35074 35108 http://secunia.com/advisories/35108 39005 http://secunia.com/advisories/39005 ADV-2009-0040 http://www.vupen.com/english/advisories/2009/0040 ADV-2009-0289 http://www.vupen.com/english/advisories/2009/0289 ADV-2009-0362 http://www.vupen.com/english/advisories/2009/0362 ADV-2009-0558 http://www.vupen.com/english/advisories/2009/0558 ADV-2009-0904 http://www.vupen.com/english/advisories/2009/0904 ADV-2009-0913 http://www.vupen.com/english/advisories/2009/0913 ADV-2009-1297 http://www.vupen.com/english/advisories/2009/1297 ADV-2009-1338 http://www.vupen.com/english/advisories/2009/1338 APPLE-SA-2009-05-12 http://lists.apple.com/archives/security-announce/2009/May/msg00002.html GLSA-200902-02 http://security.gentoo.org/glsa/glsa-200902-02.xml HPSBMA02426 http://marc.info/?l=bugtraq&m=124277349419254&w=2 HPSBOV02540 http://marc.info/?l=bugtraq&m=127678688104458&w=2 HPSBUX02418 http://marc.info/?l=bugtraq&m=123859864430555&w=2 RHSA-2009:0004 http://www.redhat.com/support/errata/RHSA-2009-0004.html SSA:2009-014-01 http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.544796 SSRT090002 SSRT090053 SUSE-SU-2011:0847 http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html TA09-133A http://www.us-cert.gov/cas/techalerts/TA09-133A.html USN-704-1 https://usn.ubuntu.com/704-1/ http://support.apple.com/kb/HT3549 http://support.avaya.com/elmodocs2/security/ASA-2009-038.htm http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=837653 http://voodoo-circle.sourceforge.net/sa/sa-20090123-01.html http://www.ocert.org/advisories/ocert-2008-016.html http://www.openssl.org/news/secadv_20090107.txt http://www.vmware.com/security/advisories/VMSA-2009-0004.html openSUSE-SU-2011:0845 http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html oval:org.mitre.oval:def:6380 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6380 oval:org.mitre.oval:def:9155 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9155
Copyright	Copyright (C) 2009 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.