Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Производитель ПО
Наименование ПО
OpenSSL
(0.9.7, 0.9.7l, 0.9.8, 0.9.8d)
Описание
OpenSSL содержит ошибку, которая может позволить удаленно вызвать отказ в обслуживании. Уязвимость возникает из-за ошибки в обработке искаженных ASN.1-структур, которая может привести к зацикливанию и чрезмерному потреблению ресурсов памяти.
Как исправить
Для устранения уязвимости необходимо установить последнюю версию продукта, соответствующую используемой платформе. Необходимую информацию можно получить по адресу:
http://www.openssl.org/
http://www.openssl.org/
Ссылки
OSVDB (29260): http://www.osvdb.org/29260
http://www.openssl.org/news/secadv_20060928.txt
CERT-VN (VU#247744): http://www.kb.cert.org/vuls/id/247744
FULLDISC (20060928 [SECURITY] OpenSSL 0.9.8d and 0.9.7l released): http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
https://issues.rpath.com/browse/RPL-613
DEBIAN (DSA-1185): http://www.debian.org/security/2006/dsa-1185
FREEBSD (FreeBSD-SA-06:23.openssl): http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
MANDRIVA (MDKSA-2006:172): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:172
MANDRIVA (MDKSA-2006:177): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:177
MANDRIVA (MDKSA-2006:178): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:178
REDHAT (RHSA-2006:0695): http://www.redhat.com/support/errata/RHSA-2006-0695.html
SLACKWARE (SSA:2006-272-01): http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
UBUNTU (USN-353-1): http://www.ubuntu.com/usn/usn-353-1
BID (20248): http://www.securityfocus.com/bid/20248
FRSIRT (ADV-2006-3820): http://www.frsirt.com/english/advisories/2006/3820
FRSIRT (ADV-2006-3860): http://www.frsirt.com/english/advisories/2006/3860
XF (openssl-asn1-error-dos(29228)): http://xforce.iss.net/xforce/xfdb/29228
http://kolab.org/security/kolab-vendor-notice-11.txt
OPENPKG (OpenPKG-SA-2006.021): http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
SUSE (SUSE-SA:2006:058): http://www.novell.com/linux/security/advisories/2006_58_openssl.html
TRUSTIX (2006-0054): http://www.trustix.org/errata/2006/0054
FRSIRT (ADV-2006-3902): http://www.frsirt.com/english/advisories/2006/3902
SECTRACK (1016943): http://securitytracker.com/id?1016943
http://openvpn.net/changelog.html
http://www.serv-u.com/releasenotes/
OPENBSD ([3.9] 20061007 013: SECURITY FIX: October 7, 2006): http://openbsd.org/errata.html#openssl2
FRSIRT (ADV-2006-3869): http://www.frsirt.com/english/advisories/2006/3869
FRSIRT (ADV-2006-3936): http://www.frsirt.com/english/advisories/2006/3936
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
http://www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf
SUNALERT (102668): http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
SUSE (SUSE-SR:2006:024): http://www.novell.com/linux/security/advisories/2006_24_sr.html
FRSIRT (ADV-2006-4019): http://www.frsirt.com/english/advisories/2006/4019
FRSIRT (ADV-2006-4036): http://www.frsirt.com/english/advisories/2006/4036
GENTOO (GLSA-200610-11): http://security.gentoo.org/glsa/glsa-200610-11.xml
MLIST ([bind-announce] 20061103 Internet Systems Consortium Security Advisory. [revised]): http://marc.theaimsgroup.com/?l=bind-announce&m=116253119512445&w=2
http://www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf
SGI (20061001-01-P): ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
FRSIRT (ADV-2006-4264): http://www.frsirt.com/english/advisories/2006/4264
FRSIRT (ADV-2006-4327): http://www.frsirt.com/english/advisories/2006/4327
FRSIRT (ADV-2006-4329): http://www.frsirt.com/english/advisories/2006/4329
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
CISCO (20061108 Multiple Vulnerabilities in OpenSSL library): http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
CISCO (20061108 Multiple Vulnerabilities in OpenSSL Library): http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
FRSIRT (ADV-2006-4417): http://www.frsirt.com/english/advisories/2006/4417
FRSIRT (ADV-2006-4401): http://www.frsirt.com/english/advisories/2006/4401
http://docs.info.apple.com/article.html?artnum=304829
APPLE (APPLE-SA-2006-11-28): http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
CERT (TA06-333A): http://www.us-cert.gov/cas/techalerts/TA06-333A.html
FRSIRT (ADV-2006-4750): http://www.frsirt.com/english/advisories/2006/4750
http://www.f-secure.com/security/fsc-2006-6.shtml
FRSIRT (ADV-2006-4761): http://www.frsirt.com/english/advisories/2006/4761
http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
GENTOO (GLSA-200612-11): http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
HP (HPSBUX02174): http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
SUNALERT (102747): http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
FRSIRT (ADV-2006-4980): http://www.frsirt.com/english/advisories/2006/4980
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
HP (HPSBUX02186): http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
FRSIRT (ADV-2007-0343): http://www.frsirt.com/english/advisories/2007/0343
HP (HPSBTU02207): https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
FRSIRT (ADV-2007-1401): http://www.frsirt.com/english/advisories/2007/1401
http://www.openssl.org/news/secadv_20060928.txt
CERT-VN (VU#247744): http://www.kb.cert.org/vuls/id/247744
FULLDISC (20060928 [SECURITY] OpenSSL 0.9.8d and 0.9.7l released): http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
https://issues.rpath.com/browse/RPL-613
DEBIAN (DSA-1185): http://www.debian.org/security/2006/dsa-1185
FREEBSD (FreeBSD-SA-06:23.openssl): http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
MANDRIVA (MDKSA-2006:172): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:172
MANDRIVA (MDKSA-2006:177): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:177
MANDRIVA (MDKSA-2006:178): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:178
REDHAT (RHSA-2006:0695): http://www.redhat.com/support/errata/RHSA-2006-0695.html
SLACKWARE (SSA:2006-272-01): http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
UBUNTU (USN-353-1): http://www.ubuntu.com/usn/usn-353-1
BID (20248): http://www.securityfocus.com/bid/20248
FRSIRT (ADV-2006-3820): http://www.frsirt.com/english/advisories/2006/3820
FRSIRT (ADV-2006-3860): http://www.frsirt.com/english/advisories/2006/3860
XF (openssl-asn1-error-dos(29228)): http://xforce.iss.net/xforce/xfdb/29228
http://kolab.org/security/kolab-vendor-notice-11.txt
OPENPKG (OpenPKG-SA-2006.021): http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
SUSE (SUSE-SA:2006:058): http://www.novell.com/linux/security/advisories/2006_58_openssl.html
TRUSTIX (2006-0054): http://www.trustix.org/errata/2006/0054
FRSIRT (ADV-2006-3902): http://www.frsirt.com/english/advisories/2006/3902
SECTRACK (1016943): http://securitytracker.com/id?1016943
http://openvpn.net/changelog.html
http://www.serv-u.com/releasenotes/
OPENBSD ([3.9] 20061007 013: SECURITY FIX: October 7, 2006): http://openbsd.org/errata.html#openssl2
FRSIRT (ADV-2006-3869): http://www.frsirt.com/english/advisories/2006/3869
FRSIRT (ADV-2006-3936): http://www.frsirt.com/english/advisories/2006/3936
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
http://www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf
SUNALERT (102668): http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
SUSE (SUSE-SR:2006:024): http://www.novell.com/linux/security/advisories/2006_24_sr.html
FRSIRT (ADV-2006-4019): http://www.frsirt.com/english/advisories/2006/4019
FRSIRT (ADV-2006-4036): http://www.frsirt.com/english/advisories/2006/4036
GENTOO (GLSA-200610-11): http://security.gentoo.org/glsa/glsa-200610-11.xml
MLIST ([bind-announce] 20061103 Internet Systems Consortium Security Advisory. [revised]): http://marc.theaimsgroup.com/?l=bind-announce&m=116253119512445&w=2
http://www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf
SGI (20061001-01-P): ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
FRSIRT (ADV-2006-4264): http://www.frsirt.com/english/advisories/2006/4264
FRSIRT (ADV-2006-4327): http://www.frsirt.com/english/advisories/2006/4327
FRSIRT (ADV-2006-4329): http://www.frsirt.com/english/advisories/2006/4329
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
CISCO (20061108 Multiple Vulnerabilities in OpenSSL library): http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
CISCO (20061108 Multiple Vulnerabilities in OpenSSL Library): http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
FRSIRT (ADV-2006-4417): http://www.frsirt.com/english/advisories/2006/4417
FRSIRT (ADV-2006-4401): http://www.frsirt.com/english/advisories/2006/4401
http://docs.info.apple.com/article.html?artnum=304829
APPLE (APPLE-SA-2006-11-28): http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
CERT (TA06-333A): http://www.us-cert.gov/cas/techalerts/TA06-333A.html
FRSIRT (ADV-2006-4750): http://www.frsirt.com/english/advisories/2006/4750
http://www.f-secure.com/security/fsc-2006-6.shtml
FRSIRT (ADV-2006-4761): http://www.frsirt.com/english/advisories/2006/4761
http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
GENTOO (GLSA-200612-11): http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
HP (HPSBUX02174): http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
SUNALERT (102747): http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
FRSIRT (ADV-2006-4980): http://www.frsirt.com/english/advisories/2006/4980
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
HP (HPSBUX02186): http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
FRSIRT (ADV-2007-0343): http://www.frsirt.com/english/advisories/2007/0343
HP (HPSBTU02207): https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
FRSIRT (ADV-2007-1401): http://www.frsirt.com/english/advisories/2007/1401