You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/08/05 22:23:52 UTC

DO NOT REPLY [Bug 47649] New: OpenSSL version is out of date; Upgrade to 0.9.8k

https://issues.apache.org/bugzilla/show_bug.cgi?id=47649

           Summary: OpenSSL version is out of date; Upgrade to 0.9.8k
           Product: Apache httpd-2
           Version: 2.2.12
          Platform: PC
        OS/Version: Windows Server 2003
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Win32 MSI Installer
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: business2008@rodneybeede.com


--- Comment #0 from Rodney <bu...@rodneybeede.com> 2009-08-05 13:23:50 PDT ---
OpenSSL bundled with the Win32 installer comes with an out-of-date version of
OpenSSL.

OpenSSL version 0.9.8k should be used which resolves the following issues:

---------------

OpenSSL before 0.9.8k are affected by multiple vulnerabilities:

ASN1 printing crash (CVE-2009-0590). The ASN1_STRING_print_ex function in
affected versions of OpenSSL could allow remote attackers to cause a denial of
service (invalid memory access and application crash) via vectors that trigger
printing of a BMPString or UniversalString with an invalid length.
Incorrect Error Checking During CMS verification (CVE-2009-0591). When CMS is
enabled, the CMS_verify function does not properly handle errors associated
with malformed signed attributes. This could allow remote attackers to
repudiate a signature that originally appeared to be valid but was actually
invalid.
Invalid ASN1 clearing check (CVE-2009-0789). On WIN64 and certain other
platforms affected versions of OpenSSL do not properly handle a malformed ASN.1
structure. This could allow remote attackers to cause a denial of service
(invalid memory access and application crash) by placing this structure in the
public key of a certificate, as demonstrated by an RSA public key.

--------------

Multiple OpenSSL DTLS Denial of Service Vulnerabilities

The dtls1_buffer_record function in OpenSSL 0.9.8k and earlier could allow
remote attackers to cause a denial of service (memory consumption) via a large
series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS
record buffer limitation bug". (CVE-2009-1377)

OpenSSL 0.9.8 up to and including 0.9.8k could allow remote attackers to cause
a denial of service (memory consumption) via DTLS records that are duplicates,
or have sequence numbers much greater than current sequence numbers (DTLS
fragment handling memory leak). (CVE-2009-1378)

OpenSSL 1.0.0 Beta2 contains a use-after-free vulnerability in the
dtls1_retrieve_fragment function. This could allow remote attackers to cause a
denial of service (openssl s_client crash) and possibly have unspecified other
impact vua a DTLS packet, as demonstrated by a packet from a server that uses a
crafted server certificate. (CVE-2009-1379)

The dtls1_retrieve_buffered_fragment function in OpenSSL before 1.0.0 beta2
could allow remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via an out-of-sequence DTLS handshake message,
related to a "fragment bug". (CVE-2009-1387)

---------------

OpenSSL DSA/ECDSA "EVP_VerifyFinal()" Spoofing Vulnerability

OpenSSL before 0.9.8j does not properly check the return value from the
EVP_VerifyFinal function. This could allow remote attackers to bypass
validation of the certificate chain via a malformed SSL/TLS signature for DSA
and ECDSA keys.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47649] OpenSSL version is out of date; Upgrade to 0.9.8k

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47649


Will Rowe <wr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX


--- Comment #1 from Will Rowe <wr...@apache.org> 2009-08-05 14:11:53 PDT ---
We are familiar with these; they only primarily affect httpd as a client (think
proxy connections to an untrusted back end server).  Therefore there appeared
no urgency to updating this.

The httpd contributors update OpenSSL upon each release, so with the 2.2.13
release, there will be an updated openssl bundled.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org