On September 30th, the OpenSSL group released a security advisory about vulnerabilities in the SSL code, that may cause a DoS (Denial of Service) and, possibly, remote compromise.
The vulnerabilities includes a flaw in the OpenSSL implementation of the Abstract Syntax Notation One (ASN.1) data format and also an unsual, but possible, exploitation of the code that verifies the certificates, that may result a DoS attack.
All versions up to and including 0.9.6j and 0.9.7b are affected. Also, all versions of SSLeay are known to be affected, as well.
Upgrade to the recent released versions: 0.9.6k or 0.9.7c. However, the openssl libraries can be loaded dynamically or they may be compiled statically into the respective binary. For dynamically loaded libraries, the openssl library update is sufficient. Statically linked programs have to be recompiled. To check which libraries are loadded dynamically, use the 'ldd' command.
OpenSSL Security Advisory:
Fixed OpenSSL Versions:
- Version: 0.9.6k: http://www.openssl.org/source/openssl-0.9.6k.tar.gz
- Version: 0.9.7c: http://www.openssl.org/source/openssl-0.9.7c.tar.gz
The major linux distributions are announcing new OpenSSL packages to correct the issues.
Send comments to isc _AT_ sans.org
Oct 2nd 2003
1 decade ago