[Pkg-openssl-devel] Bug#522002: Bug#522002: openssl: CVE-2009-0590 denial of service
Kurt Roeckx
kurt at roeckx.be
Wed Apr 1 17:14:06 UTC 2009
On Tue, Mar 31, 2009 at 12:03:42AM -0400, Michael S. Gilbert wrote:
> Package: openssl
> Severity: important
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssl.
>
> CVE-2009-0590[0]:
> The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows
> remote attackers to cause a denial of service (invalid memory access
> and application crash) via vectors that trigger printing of a (1)
> BMPString or (2) UniversalString with an invalid encoded length.
>
> This was just fixed in ubuntu [1]. Please coordinate with the
> security team to release fixes for the stable releases.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
> http://security-tracker.debian.net/tracker/CVE-2009-0590
> [1] http://www.ubuntu.com/usn/usn-750-1
I've attached the patch from upstream CVS.
Kurt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2009-0590.diff
Type: text/x-diff
Size: 2541 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20090401/c2fbf97d/attachment-0001.diff
More information about the Pkg-openssl-devel
mailing list