[Pkg-openssl-devel] Bug#532037: Bug#532037: CVE-2009-138{6, 7}: Two OpenSSL DTLS remote DoS
Kurt Roeckx
kurt at roeckx.be
Thu Jun 18 22:47:53 UTC 2009
On Mon, Jun 08, 2009 at 08:57:20PM +0200, Kurt Roeckx wrote:
> On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote:
> > Package: openssl
> > Severity: serious
> > Tags: security
> >
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) ids were
> > published for openssl.
> >
> > CVE-2009-1386[0]:
> > | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
> > | a denial of service (NULL pointer dereference and daemon crash) via a
> > | DTLS ChangeCipherSpec packet that occurs before ClientHello.
> >
> > CVE-2009-1387[1]:
> > | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
> > | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
> > | of service (NULL pointer dereference and daemon crash) via an
> > | out-of-sequence DTLS handshake message, related to a "fragment bug."
>
> Packages for stable and olstable are available at:
> http://people.debian.org/~kroeckx/openssl/
>
> Note that the issues fixed in previous versions were never
> uploaded to the security archive, so both fix 5 CVEs.
Hi,
Nothing happened with this yet. Are you planning on releasing a
DSA for this, or should I just upload them to proposed-updates
instead?
Kurt
More information about the Pkg-openssl-devel
mailing list