Date: Mon, 18 May 2009 09:32:04 +0100 (BST) From: Mark J Cox <mjc@...hat.com> To: oss-security@...ts.openwall.com Subject: Two OpenSSL DTLS remote DoS Spotted on openssl-dev, two issues that can lead to a remote attacker exhausting memory of a DTLS enabled service. DTLS support was introduced in OpenSSL 0.9.8. CVE-2009-1377 DTLS epoch record buffer memory DoS http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest http://marc.info/?l=openssl-dev&m=124247675613888&w=2 http://cvs.openssl.org/chngview?cn=18187 CVSSv2= 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P CVE-2009-1378 DTLS fragment handling memory DoS http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest http://marc.info/?t=124250665500033&r=1&w=2 http://cvs.openssl.org/chngview?cn=18188 (Note doesn't have a backported 0.9.8 patch yet, follow openssl-dev) CVSSv2= 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P Thanks, Mark
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.