TUCoPS :: Web :: General :: dsa-393.htm

openssl - denial of service

Debian Security Advisory

DSA-393-1 openssl -- denial of service

Date Reported:
01 Oct 2003
Affected Packages:
openssl
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CAN-2003-0543, CAN-2003-0544.
More information:

Dr. Stephen Henson (steve@openssl.org), using a test suite provided by NISCC (http://www.niscc.gov.uk/), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability. However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended.

For the current stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.4.

For the unstable distribution (sid) these problems have been fixed in version 0.9.7c-1.

We recommend that you update your openssl package. Note that you will need to restart services which use the libssl library for this update to take effect.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.diff.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.4_all.deb
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_arm.deb
HPPA:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_ia64.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH