[Pkg-openssl-devel] Bug#483379: openssl: CVE-2008-1672, CVE-2008-0891 multiple security issues
Nico Golde
nion at debian.org
Wed May 28 14:46:51 UTC 2008
Package: openssl
Version: 0.9.8f-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openssl.
CVE-2008-0891[0]:
| OpenSSL Server Name extension crash
|
| Testing using the Codenomicon TLS test suite discovered a flaw in the
| handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
| 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
| name extensions, a remote attacker could send a carefully crafted
| packet to a server application using OpenSSL and cause a crash.
CVE-2008-1672[1]:
| OpenSSL Omit Server Key Exchange message crash
|
| Testing using the Codenomicon TLS test suite discovered a flaw if the
| 'Server Key exchange message' is omitted from a TLS handshake in
| OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
| malicious server with particular cipher suites, the server could cause
| the client to crash.
Please not that these discriptions are not yet published on the mitre site.
Check out http://www.openssl.org/news/secadv_20080528.txt in the meantime.
Patches for both issues are attached.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891
http://security-tracker.debian.net/tracker/CVE-2008-0891
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672
http://security-tracker.debian.net/tracker/CVE-2008-1672
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2008-0891.patch
Type: text/x-diff
Size: 1237 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080528/1473352f/attachment.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2008-1672.patch
Type: text/x-diff
Size: 1555 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080528/1473352f/attachment-0001.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080528/1473352f/attachment.pgp
More information about the Pkg-openssl-devel
mailing list