Security 10808 Published by

Red Hat has released updated OpenSSL packages for Red Hat Linux



OpenSSL is a commercial-grade, full-featured, open source toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security(TLS v1) protocols, as well as a full-strength general purpose cryptographylibrary. NISCC testing of implementations of the SSL protocol uncovered two bugs inOpenSSL 0.9.6 and OpenSSL 0.9.7. The parsing of unusual ASN.1 tag valuescan cause OpenSSL to crash. A remote attacker could trigger this bug by sending a carefully-crafted SSL client certificate to an application. Theeffects of such an attack vary depending on the application targetted; against Apache the effects are limited, as the attack would only causechild processes to die and be replaced. An attack against otherapplications that use OpenSSL could result in a Denial of Service. TheCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to this issue.
Read more