Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] SUSE Security Announcement: openssl security probl

from [Georgi Guninski] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058)
Date: Thu, 28 Sep 2006 21:58:58 +0300 
so you are giving credit to some pseudo 0days (corporate promotion), but you
are not giving credit to some pseudo 0days - see quoted text.

is this on purpose?


On Thu, Sep 28, 2006 at 06:48:19PM +0200, Marcus Meissner wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1) Problem Description and Brief Discussion

   Several security problems were found and fixed in the OpenSSL
   cryptographic library.

   CVE-2006-3738/VU#547300:
   A Google security audit found a buffer overflow condition within the
   SSL_get_shared_ciphers() function which has been fixed.

   CVE-2006-4343/VU#386964:
   The above Google security audit also found that the OpenSSL SSLv2
   client code fails to properly check for NULL which could lead to a
   server program using openssl to crash.

   CVE-2006-2937:
   Fix mishandling of an error condition in parsing of certain invalid
   ASN1 structures, which could result in an infinite loop which consumes
   system memory.

   CVE-2006-2940:
   Certain types of public key can take disproportionate amounts of time
   to process. This could be used by an attacker in a denial of service
   attack to cause the remote side top spend an excessive amount of time
   in computation.

2) Solution or Work-Around



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] [USN-353-1] openssl vulnerabilities, Debasis Mohanty
Next by Date:  [Full-disclosure] New Vub...., hitham hitham
Previous by Thread:  [Full-disclosure] SUSE Security Announcement: openssl security problems (SUSE-SA:2006:058), Marcus Meissner
Next by Thread:  [Full-disclosure] [SECURITY] [DSA 1185-1] New openssl packages fix denial of service, Moritz Muehlenhoff
Indexes:  [Date] [Thread] [Top] [All Lists]