Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 May 2009 09:32:04 +0100 (BST)
From: Mark J Cox <mjc@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Two OpenSSL DTLS remote DoS

Spotted on openssl-dev, two issues that can lead to a remote attacker 
exhausting memory of a DTLS enabled service.  DTLS support was introduced 
in OpenSSL 0.9.8.

CVE-2009-1377 DTLS epoch record buffer memory DoS

 	http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest
         http://marc.info/?l=openssl-dev&m=124247675613888&w=2
         http://cvs.openssl.org/chngview?cn=18187

 	CVSSv2= 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVE-2009-1378 DTLS fragment handling memory DoS

 	http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
         http://marc.info/?t=124250665500033&r=1&w=2

 	http://cvs.openssl.org/chngview?cn=18188
 	(Note doesn't have a backported 0.9.8 patch yet, follow openssl-dev)

 	CVSSv2= 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

Thanks, Mark

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.