[Pkg-openssl-devel] Bug#483379: Bug#483379: openssl: CVE-2008-1672, CVE-2008-0891 multiple security issues
Christoph Martin
martin at uni-mainz.de
Wed May 28 15:12:00 UTC 2008
Hi Niko,
Nico Golde schrieb:
> Package: openssl
> Version: 0.9.8f-1
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for openssl.
>
> CVE-2008-0891[0]:
> | OpenSSL Server Name extension crash
> |
> | Testing using the Codenomicon TLS test suite discovered a flaw in the
> | handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
> | 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
> | name extensions, a remote attacker could send a carefully crafted
> | packet to a server application using OpenSSL and cause a crash.
This one does not affect the current Debian version, since it is not
compiled with the tlsext option.
>
> CVE-2008-1672[1]:
> | OpenSSL Omit Server Key Exchange message crash
> |
> | Testing using the Codenomicon TLS test suite discovered a flaw if the
> | 'Server Key exchange message' is omitted from a TLS handshake in
> | OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
> | malicious server with particular cipher suites, the server could cause
> | the client to crash.
>
Christoph
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: Christoph.Martin at Verwaltung.Uni-Mainz.DE
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080528/f9ebb3bf/attachment-0001.pgp
More information about the Pkg-openssl-devel
mailing list