Alert GCSA-12003 - Vulnerabilita' in OpenSSL
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************************************************************
Alert ID : GCSA-12003
Data : 11 gennaio 2012
Titolo : Vulnerabilita' in OpenSSL
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni di OpenSSL
che risolvono 6 vulnerabila' presenti nel software:
DTLS Plaintext Recovery Attack (CVE-2011-4108)
Double-free in Policy Checks (CVE-2011-4109)
Uninitialized SSL 3.0 Padding (CVE-2011-4576)
Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
SGC Restart DoS Attack (CVE-2011-4619)
Invalid GOST parameters DoS Attack (CVE-2012-0027)
:: Software interessato
OpenSSL versioni precedenti alla 0.9.8s
OpenSSL versioni precedenti alla 1.0.0f
:: Impatto
Denial of Service
Esecuzione remota di codice arbitrario
Rivelazione di informazioni sensibili
:: Soluzioni
Aggiornare OpenSSL
alla versione 0.9.8s o alla versione 1.0.0f
http://openssl.org/source/
:: Riferimenti
OpenSSL Security Advisory
http://openssl.org/news/secadv_20120104.txt
Mitre's CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027
SecurityFocus Bugtraq ID
http://www.securityfocus.com/bid/51281
SANS ISC Diary
http://isc.sans.edu/diary.html?storyid=12322
US DOE JC3-CIRC bulletin
http://www.doecirc.energy.gov/bulletins/u-076.shtml
-----BEGIN PGP SIGNATURE-----
iQCVAwUBTw1ur/OB+SpikaiRAQK2UgQArUNTLFt4K+PI6TarI7+JP1NMlNFCDMEA
2K5jGPiDPbkvv5KABd7SkWbOXzSySKdcPlYaktDkMltPcLWezjLzOAimYkbjAXmi
/18Pdbosw100sTZvrrvQl7mCrqc7yCZ5mwW9JSnGIKBg46UYhu+FS6jwvIDg2Djq
s9SCPG9h9Wg=
=4Ay8
-----END PGP SIGNATURE-----
Hash: SHA1
******************************************************************
Alert ID : GCSA-12003
Data : 11 gennaio 2012
Titolo : Vulnerabilita' in OpenSSL
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni di OpenSSL
che risolvono 6 vulnerabila' presenti nel software:
DTLS Plaintext Recovery Attack (CVE-2011-4108)
Double-free in Policy Checks (CVE-2011-4109)
Uninitialized SSL 3.0 Padding (CVE-2011-4576)
Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
SGC Restart DoS Attack (CVE-2011-4619)
Invalid GOST parameters DoS Attack (CVE-2012-0027)
:: Software interessato
OpenSSL versioni precedenti alla 0.9.8s
OpenSSL versioni precedenti alla 1.0.0f
:: Impatto
Denial of Service
Esecuzione remota di codice arbitrario
Rivelazione di informazioni sensibili
:: Soluzioni
Aggiornare OpenSSL
alla versione 0.9.8s o alla versione 1.0.0f
http://openssl.org/source/
:: Riferimenti
OpenSSL Security Advisory
http://openssl.org/news/secadv_20120104.txt
Mitre's CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027
SecurityFocus Bugtraq ID
http://www.securityfocus.com/bid/51281
SANS ISC Diary
http://isc.sans.edu/diary.html?storyid=12322
US DOE JC3-CIRC bulletin
http://www.doecirc.energy.gov/bulletins/u-076.shtml
-----BEGIN PGP SIGNATURE-----
iQCVAwUBTw1ur/OB+SpikaiRAQK2UgQArUNTLFt4K+PI6TarI7+JP1NMlNFCDMEA
2K5jGPiDPbkvv5KABd7SkWbOXzSySKdcPlYaktDkMltPcLWezjLzOAimYkbjAXmi
/18Pdbosw100sTZvrrvQl7mCrqc7yCZ5mwW9JSnGIKBg46UYhu+FS6jwvIDg2Djq
s9SCPG9h9Wg=
=4Ay8
-----END PGP SIGNATURE-----