[PLSA 2009-50] Openssl: Multiple Vulnerabilities

• Severity: 3
• Type: Remote
• Release Date: 2009-04-09

Summary

Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).

Description

1) An error exists in the "ASN1_STRING_print_ex()" function when printing "BMPString" or "UniversalString" strings. This can be exploited to trigger an access to invalid memory and cause a crash via an illegal encoded string length
when e.g. printing the contents of a certificate.

2) The "CMS_verify()" function incorrectly handles an error condition when processing malformed signed attributes. This can be exploited to trick an application into considering a malformed set of signed attributes valid and skip further checks.

3) An error when processing malformed ASN1 structures can be exploited to trigger an access to invalid memory and cause a crash via a specially crafted certificate.

Packages

Pardus 2008

• openssl, all before 0.9.8k-20-7

Resolution

There are update(s) for openssl. You can update them via Package Manager or with a single command from console:

Pardus 2008

pisi up openssl 

References

• http://bugs.pardus.org.tr/show_bug.cgi?id=9462
• http://secunia.com/advisories/34411/