Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Производитель ПО
Наименование ПО
OpenSSL
(0.9.7, 0.9.7l, 0.9.8, 0.9.8d)
Описание
Переполнение буфера в функции SSL_get_shared_ciphers в OpenSSL позволяет злоумышленнику выполнить произвольный код через удаленные векторы атаки, включая длинные списки шифров.
Как исправить
Для устранения уязвимости необходимо установить последнюю версию продукта, соответствующую используемой платформе. Необходимую информацию можно получить по адресу:
http://www.openssl.org/
http://www.openssl.org/
Ссылки
http://www.openssl.org/news/secadv_20060928.txt
CERT-VN (VU#547300): http://www.kb.cert.org/vuls/id/547300
BID (20249): http://www.securityfocus.com/bid/20249
FULLDISC (20060928 [SECURITY] OpenSSL 0.9.8d and 0.9.7l released): http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
https://issues.rpath.com/browse/RPL-613
DEBIAN (DSA-1185): http://www.debian.org/security/2006/dsa-1185
FREEBSD (FreeBSD-SA-06:23.openssl): http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
MANDRIVA (MDKSA-2006:172): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:172
MANDRIVA (MDKSA-2006:177): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:177
MANDRIVA (MDKSA-2006:178): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:178
REDHAT (RHSA-2006:0695): http://www.redhat.com/support/errata/RHSA-2006-0695.html
SLACKWARE (SSA:2006-272-01): http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
UBUNTU (USN-353-1): http://www.ubuntu.com/usn/usn-353-1
FRSIRT (ADV-2006-3820): http://www.frsirt.com/english/advisories/2006/3820
FRSIRT (ADV-2006-3860): http://www.frsirt.com/english/advisories/2006/3860
XF (openssl-sslgetsharedciphers-bo(29237)): http://xforce.iss.net/xforce/xfdb/29237
http://kolab.org/security/kolab-vendor-notice-11.txt
OPENPKG (OpenPKG-SA-2006.021): http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
SUSE (SUSE-SA:2006:058): http://www.novell.com/linux/security/advisories/2006_58_openssl.html
TRUSTIX (2006-0054): http://www.trustix.org/errata/2006/0054
FRSIRT (ADV-2006-3902): http://www.frsirt.com/english/advisories/2006/3902
SECTRACK (1016943): http://securitytracker.com/id?1016943
http://openvpn.net/changelog.html
http://www.serv-u.com/releasenotes/
OPENBSD ([3.9] 20061007 013: SECURITY FIX: October 7, 2006): http://openbsd.org/errata.html#openssl2
FRSIRT (ADV-2006-3869): http://www.frsirt.com/english/advisories/2006/3869
FRSIRT (ADV-2006-3936): http://www.frsirt.com/english/advisories/2006/3936
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
DEBIAN (DSA-1195): http://www.debian.org/security/2006/dsa-1195
SUNALERT (102668): http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
SUSE (SUSE-SR:2006:024): http://www.novell.com/linux/security/advisories/2006_24_sr.html
FRSIRT (ADV-2006-4036): http://www.frsirt.com/english/advisories/2006/4036
OSVDB (29262): http://www.osvdb.org/29262
GENTOO (GLSA-200610-11): http://security.gentoo.org/glsa/glsa-200610-11.xml
http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=498093&RenditionID=&poid=8881
SGI (20061001-01-P): ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
FRSIRT (ADV-2006-4314): http://www.frsirt.com/english/advisories/2006/4314
FRSIRT (ADV-2006-4264): http://www.frsirt.com/english/advisories/2006/4264
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
CISCO (20061108 Multiple Vulnerabilities in OpenSSL library): http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
CISCO (20061108 Multiple Vulnerabilities in OpenSSL Library): http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
SUNALERT (102711): http://sunsolve.sun.com/search/document.do?assetkey=1-26-102711-1
FRSIRT (ADV-2006-4417): http://www.frsirt.com/english/advisories/2006/4417
FRSIRT (ADV-2006-4401): http://www.frsirt.com/english/advisories/2006/4401
FRSIRT (ADV-2006-4443): http://www.frsirt.com/english/advisories/2006/4443
http://docs.info.apple.com/article.html?artnum=304829
APPLE (APPLE-SA-2006-11-28): http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
CERT (TA06-333A): http://www.us-cert.gov/cas/techalerts/TA06-333A.html
FRSIRT (ADV-2006-4750): http://www.frsirt.com/english/advisories/2006/4750
http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
GENTOO (GLSA-200612-11): http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
HP (HPSBUX02174): http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
HP (HPSBUX02186): http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
FRSIRT (ADV-2007-0343): http://www.frsirt.com/english/advisories/2007/0343
SECTRACK (1017522): http://securitytracker.com/id?1017522
HP (HPSBTU02207): https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
FRSIRT (ADV-2007-1401): http://www.frsirt.com/english/advisories/2007/1401
CERT-VN (VU#547300): http://www.kb.cert.org/vuls/id/547300
BID (20249): http://www.securityfocus.com/bid/20249
FULLDISC (20060928 [SECURITY] OpenSSL 0.9.8d and 0.9.7l released): http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
https://issues.rpath.com/browse/RPL-613
DEBIAN (DSA-1185): http://www.debian.org/security/2006/dsa-1185
FREEBSD (FreeBSD-SA-06:23.openssl): http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
MANDRIVA (MDKSA-2006:172): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:172
MANDRIVA (MDKSA-2006:177): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:177
MANDRIVA (MDKSA-2006:178): http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:178
REDHAT (RHSA-2006:0695): http://www.redhat.com/support/errata/RHSA-2006-0695.html
SLACKWARE (SSA:2006-272-01): http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
UBUNTU (USN-353-1): http://www.ubuntu.com/usn/usn-353-1
FRSIRT (ADV-2006-3820): http://www.frsirt.com/english/advisories/2006/3820
FRSIRT (ADV-2006-3860): http://www.frsirt.com/english/advisories/2006/3860
XF (openssl-sslgetsharedciphers-bo(29237)): http://xforce.iss.net/xforce/xfdb/29237
http://kolab.org/security/kolab-vendor-notice-11.txt
OPENPKG (OpenPKG-SA-2006.021): http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
SUSE (SUSE-SA:2006:058): http://www.novell.com/linux/security/advisories/2006_58_openssl.html
TRUSTIX (2006-0054): http://www.trustix.org/errata/2006/0054
FRSIRT (ADV-2006-3902): http://www.frsirt.com/english/advisories/2006/3902
SECTRACK (1016943): http://securitytracker.com/id?1016943
http://openvpn.net/changelog.html
http://www.serv-u.com/releasenotes/
OPENBSD ([3.9] 20061007 013: SECURITY FIX: October 7, 2006): http://openbsd.org/errata.html#openssl2
FRSIRT (ADV-2006-3869): http://www.frsirt.com/english/advisories/2006/3869
FRSIRT (ADV-2006-3936): http://www.frsirt.com/english/advisories/2006/3936
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
DEBIAN (DSA-1195): http://www.debian.org/security/2006/dsa-1195
SUNALERT (102668): http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
SUSE (SUSE-SR:2006:024): http://www.novell.com/linux/security/advisories/2006_24_sr.html
FRSIRT (ADV-2006-4036): http://www.frsirt.com/english/advisories/2006/4036
OSVDB (29262): http://www.osvdb.org/29262
GENTOO (GLSA-200610-11): http://security.gentoo.org/glsa/glsa-200610-11.xml
http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=498093&RenditionID=&poid=8881
SGI (20061001-01-P): ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
FRSIRT (ADV-2006-4314): http://www.frsirt.com/english/advisories/2006/4314
FRSIRT (ADV-2006-4264): http://www.frsirt.com/english/advisories/2006/4264
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
CISCO (20061108 Multiple Vulnerabilities in OpenSSL library): http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
CISCO (20061108 Multiple Vulnerabilities in OpenSSL Library): http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
SUNALERT (102711): http://sunsolve.sun.com/search/document.do?assetkey=1-26-102711-1
FRSIRT (ADV-2006-4417): http://www.frsirt.com/english/advisories/2006/4417
FRSIRT (ADV-2006-4401): http://www.frsirt.com/english/advisories/2006/4401
FRSIRT (ADV-2006-4443): http://www.frsirt.com/english/advisories/2006/4443
http://docs.info.apple.com/article.html?artnum=304829
APPLE (APPLE-SA-2006-11-28): http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
CERT (TA06-333A): http://www.us-cert.gov/cas/techalerts/TA06-333A.html
FRSIRT (ADV-2006-4750): http://www.frsirt.com/english/advisories/2006/4750
http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
GENTOO (GLSA-200612-11): http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
HP (HPSBUX02174): http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
HP (HPSBUX02186): http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
FRSIRT (ADV-2007-0343): http://www.frsirt.com/english/advisories/2007/0343
SECTRACK (1017522): http://securitytracker.com/id?1017522
HP (HPSBTU02207): https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
FRSIRT (ADV-2007-1401): http://www.frsirt.com/english/advisories/2007/1401