OpenSSL: denial of service vulnerabilities [LWN.net]

Package(s):

OpenSSL

CVE #(s):

CAN-2004-0081 CAN-2003-0851

Created:

March 17, 2004

Updated:

November 2, 2005

Description:

Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.

Alerts:

Red Hat	RHSA-2005:830-00	2005-11-02
Red Hat	RHSA-2005:829-00	2005-11-02
Fedora	FEDORA-2005-1042	2005-10-31
Fedora-Legacy	FLSA:1395	2004-05-08
Conectiva	CLA-2004:834	2004-03-31
Whitebox	WBSA-2004:084-01	2004-03-23
Red Hat	RHSA-2004:084-01	2004-03-23
Fedora	FEDORA-2004-095	2004-03-19
Whitebox	WBSA-2004:120-01	2004-03-22
Trustix	TSLSA-2004-0012	2004-03-17
Slackware	SSA:2004-077-01	2004-03-17
Red Hat	RHSA-2004:121-01	2004-03-17
OpenPKG	OpenPKG-SA-2004.007	2004-03-18
Gentoo	200403-03	2004-03-17
Debian	DSA-465-1	2004-03-17
Netwosix	NW-2004-0005	2004-03-17
Mandrake	MDKSA-2004:023	2004-03-17
SuSE	SuSE-SA:2004:007	2004-03-17
Red Hat	RHSA-2004:120-01	2004-03-17
Red Hat	RHSA-2004:119-01	2004-03-17
EnGarde	ESA-20040317-003	2004-03-17

(Log in to post comments)

OpenSSL: denial of service vulnerabilities

Posted Nov 3, 2005 9:14 UTC (Thu) by mjcox@redhat.com (subscriber, #31775) [Link]

Note that this issue was originally reported in 2004 as not affecting OpenSSL versions prior to 0.9.6c, and testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b did not crash. However, an alternative reproducer has been written which shows that this issue does affect versions of OpenSSL prior to 0.9.6c.