Date: Tue, 2 Jun 2009 11:02:33 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Two OpenSSL DTLS remote DoS Hi! There are 2 more issues that cause DTLS server to crash (NULL pointer dereference DoS), detailed in upstream bug reports linked below. CVE-2009-1386 DTLS: SegFault if ChangeCipherSpec is received before ClientHello http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest http://cvs.openssl.org/chngview?cn=17369 This was first fixed upstream in 0.9.8i. CVE-2009-1387 DTLS fragment bug - out-of-sequence message handling http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest http://cvs.openssl.org/chngview?cn=17958 Here NULL pointer dereference resulting in DTLS server crash can happen in dtls1_retrieve_buffered_fragment() during memcpy from frag->fragment. This is fixed in 1.0.0-beta2, not yet in the latest 0.9.8 available at the moment - 0.9.8k. Both issues should be reproducible by connecting using 1.0.0-beta2 s_client to 0.9.8 s_server. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.