SB2015092504 - Debian update for openssl095
Published: September 25, 2015
Security Bulletin ID
SB2015092504
Severity
Critical
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2003-0543)
The vulnerability allows a remote attacker to cause a denial of service.The vulnerability exists due to an integer overflow in OpenSSL 0.9.6 and 0.9.7. A remote unauthenticated attacker can cause a denial of service via an SSL client certificate with certain ASN.1 tag values.
Successful exploitation of this vulnerability may result in cause a denial of service.
2) Improper input validation (CVE-ID: CVE-2003-0544)
The vulnerability allows a remote attacker to cause a denial of service.The vulnerability exists due to incorrect tracking of the number of characters in certain ASN.1 inputs. A remote unauthenticated attacker can cause a denial of service by sending an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.
Successful exploitation of this vulnerability may result in a denial of service.
3) ASN.1 parser deallocation buffer overflow (CVE-ID: CVE-2003-0545)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists in OpenSSL. A remote unauthenticated attacker can cause a denial of service and possible arbitrary code execution via an SSL client certificate with a certain invalid ASN.1 encoding.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.