SB2015092505 - Debian update for openssl
Published: September 25, 2015
Security Bulletin ID
SB2015092505
Severity
Medium
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2003-0543)
The vulnerability allows a remote attacker to cause a denial of service.The vulnerability exists due to an integer overflow in OpenSSL 0.9.6 and 0.9.7. A remote unauthenticated attacker can cause a denial of service via an SSL client certificate with certain ASN.1 tag values.
Successful exploitation of this vulnerability may result in cause a denial of service.
2) Improper input validation (CVE-ID: CVE-2003-0544)
The vulnerability allows a remote attacker to cause a denial of service.The vulnerability exists due to incorrect tracking of the number of characters in certain ASN.1 inputs. A remote unauthenticated attacker can cause a denial of service by sending an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.
Successful exploitation of this vulnerability may result in a denial of service.
Remediation
Install update from vendor's website.