[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 May 2009 09:32:04 +0100 (BST)
From: Mark J Cox <mjc@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Two OpenSSL DTLS remote DoS
Spotted on openssl-dev, two issues that can lead to a remote attacker
exhausting memory of a DTLS enabled service. DTLS support was introduced
in OpenSSL 0.9.8.
CVE-2009-1377 DTLS epoch record buffer memory DoS
http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest
http://marc.info/?l=openssl-dev&m=124247675613888&w=2
http://cvs.openssl.org/chngview?cn=18187
CVSSv2= 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-1378 DTLS fragment handling memory DoS
http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
http://marc.info/?t=124250665500033&r=1&w=2
http://cvs.openssl.org/chngview?cn=18188
(Note doesn't have a backported 0.9.8 patch yet, follow openssl-dev)
CVSSv2= 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
Thanks, Mark
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
