Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: OpenSSL Vulnerabilities SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL Vulnerabilities
On September 30th, the OpenSSL group released a security advisory about vulnerabilities in the SSL code, that may cause a DoS (Denial of Service) and, possibly, remote compromise.

The vulnerabilities includes a flaw in the OpenSSL implementation of the Abstract Syntax Notation One (ASN.1) data format and also an unsual, but possible, exploitation of the code that verifies the certificates, that may result a DoS attack.

All versions up to and including 0.9.6j and 0.9.7b are affected. Also, all versions of SSLeay are known to be affected, as well.

Upgrade to the recent released versions: 0.9.6k or 0.9.7c. However, the openssl libraries can be loaded dynamically or they may be compiled statically into the respective binary. For dynamically loaded libraries, the openssl library update is sufficient. Statically linked programs have to be recompiled. To check which libraries are loadded dynamically, use the 'ldd' command.
OpenSSL Security Advisory:

Fixed OpenSSL Versions:

- Version: 0.9.6k:

- Version: 0.9.7c:

The major linux distributions are announcing new OpenSSL packages to correct the issues.


Send comments to isc _AT_

76 Posts
Oct 2nd 2003

Sign Up for Free or Log In to start participating in the conversation!